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Considered by most to be the first computer worm ever, 
the Creeper worm was written over 40 years ago. Unlike 
today's worms and other malicious code, Creeper was not 
written with malicious intent, but rather as an experiment in 
self-replicating code. It spread through the ARPANET — a pre- 
cursor to the modern Internet — by "jumping" from machine 
to machine, and it caused an infected system to display the 
message: "I'M THE CREEPER, CATCH ME IF YOU CAN." In re- 
sponse, the first antivirus program, Reaper (itself a computer 
worm), was created. 

Back then it would have been nearly impossible to pre- 
dict how dependent we would become on modern network- 
ing and computing infrastructure. As a sign of our increasing 
dependency on modern networking, this issue of The Next 
Wave (TNW) as well as future issues will be available primar- 
ily electronically instead of in print. As with commercial 
publishers, the federal government is finding the incentives 
to move from a print publication to an electronic publication 
irresistible — increased audience for lower cost. 

It would also have been nearly impossible to predict 
the difficulty of defending the modern infrastructure. Early 
research on computer security had already begun by the 
time Creeper was spreading through the ARPANET. Yet, after 
over 40 years of research and development on computer 
and information security, we find ourselves searching for 
fundamental answers on how to secure systems in cyber- 
space. This existing research base has yielded important and 
significant findings through the decades, and computing 
systems are unquestionably more secure as a result. There 
is, however, an increasing awareness in the cybersecurity 
community that the research has not produced a consistent 
scientific understanding of cybersecurity and that such an 
understanding is now urgently required. 

This issue of TNW is the second of two issues dedicated 
to the science of cybersecurity. The first issue, published 
in March of 201 2, included contributions from experts 



primarily from academia and the private sector and offered 
an impressive collection of insights that touched on a wide 
range of perspectives on the problem, from technology to 
policy to strategy and more. This second issue includes con- 
tributions from experts within government (US and UK) and 
offers a wide array of perspectives on the problem as well as 
activities under way to develop and implement solutions. 

There are some promising indications that a science of 
cybersecurity initiative is gaining momentum, including 
several workshops, conferences, and reports that point 
to the need for an interdisciplinary approach to address- 
ing the problem. Most recently, in November of 201 2, NSA 
sponsored the first annual Science of Security Community 
meeting to discuss issues foundational to the advancement 
of a science of cybersecurity. This issue of TNW provides ad- 
ditional detail on some other notable activities taking place 
both inside and outside of government. 

The theme of interdisciplinarity is important. Indeed, 
there is evidence that scientific advances often occur at the 
boundaries of established but related fields, when scientists 
from different disciplines address a problem free from the 
ordinary constraints of working in a more intradisciplinary 
fashion. A science of cybersecurity offers many opportuni- 
ties for advances based on a multidisciplinary approach, 
because, after all, cybersecurity is fundamentally about an 
adversarial engagement. Humans must defend machines 
that are attacked by other humans using machines. So, in 
addition to the critical traditional fields of computer sci- 
ence, electrical engineering, and mathematics, perspectives 
from other fields are needed. Cognitive science will help us 
understand adversarial intent and human decision making 
under uncertainty in cyberspace. Economics will illuminate 
how misaligned economic incentives hamper fundamental 
progress in cybersecurity. Biology will shed light on the 
extent to which it may be possible to transfer concepts from 
our understanding of the human immune system toward the 
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conceptualization of a cyber immune system. Thinking 
from other scientific disciplines will offer perspectives 
that will trigger new, valuable ideas. 

Progress in this new science will be unpredictable, 
uneven, and slower than we want. We will need to be 
patient. Cybersecurity research experts will have to resist 
the urge to focus their efforts on the cyberattack of the 
day. We will need our research scientists to help us un- 
derstand not only what is possible, but also what is not 
possible. Indeed, a rigorous understanding of the limits 
of cybersecurity will be fundamental to the formation 
of the new science. We have learned much about how 
to defend computing systems since the first computer 
worm, but now we must advance our understanding 
through the creation of a disciplined and systematic sci- 
ence of cybersecurity. We cannot wait any longer; there 
is too much at stake. 
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A previous issue of NSA's The Next Wave magazine 
provided academic perspectives on what a cyber- 
security science might look like. This follow-on issue 
focuses on the government's response to this topic by 
describing how various organizations, individually and 
collectively, are addressing the challenges of developing 
a true science for cybersecurity. 

The past several decades have witnessed the 
phenomenon of a fledgling military computer network 
transform into an essential national and international 
information infrastructure that has fueled the growth of 
the global information age. This new infrastructure, of- 
ten described as cyberspace, has already taken its place 
alongside long-established infrastructures, such as the 
national transportation system, in shaping society and 
reshaping governments. 

The rapid acceptance and pervasiveness of this 
information technology, and cyber technology more 
generally, has come with a significant cost. We see evi- 
dence of that cost on almost a daily basis, and often with 
spectacular consequences. The ongoing cyber-thefts 
from the networks of public and private organizations, 
including Fortune 500 companies, represent the greatest 
transfer of wealth in human history. 

While the need for cybersecurity is widely recog- 
nized, current views and definitions of security differ 
greatly. Commercial-world cybersecurity implements 
new security measures in reaction to new cyberattacks 
in an unending arms race. The discipline of security 
engineering implements best practices to build less 
vulnerable cyber systems, but security failures often 
arise in spite of compliance with best practices. Both 



approaches seek to secure known vulnerabilities of sys- 
tems against attack. But, the systems and the cyber envi- 
ronment are dynamic, not static, and new vulnerabilities 
arise. Security fails in this dynamic environment when 
the adversary simply changes the game by exploiting 
new vulnerabilities. Adversaries have the easier job, and 
they can expand their methodologies and techniques to 
acquire significant power in cyberspace with relatively 
modest resources. 

The ball is now in our court. 

In recognition of cybersecurity as a national priority, 
the US Cyber Command was chartered to protect our 
national interests in cyberspace. Although support for 
this national initiative is gaining ground, it is imperative, 
going forward, that we broaden our understanding of 
the science that underpins cybersecurity. We must form 
collaborative public and private partnerships and devote 
more attention to understanding security science. And it 
must be a team effort with the DoD, FBI, and DHS work- 
ing together for the benefit of the nation. For decades, 
NSA has invested heavily in cryptology, but because our 
nation's current security challenges involve so much 
more than cryptography and cryptanalysis, we will lead 
the effort to broaden our work in the science of security. 




KEITH B.ALEXANDER 
General, US Army 
Commander, US Cyber Command 
Director, NSA/Chief, CSS 
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In December 201 1, the White House Office of Sci- 
ence and Technology Policy (OSTP) released the 
document, "Trustworthy cyberspace: Strategic 
plan for the federal cybersecurity research and devel- 
opment program" [1] which provides a framework 
for a set of coordinated federal strategic priorities and 
objectives for cybersecurity research. The release of 
this strategic plan marked an important milestone 
by the federal government s research community. It 
expresses an understanding of key causes of cyberse- 
curity deficiencies and presents research themes with 
high potential to significantly improve the security of 
cyber systems and infrastructure. The strategic plan 
is a culmination of many efforts within the federal 
government, most notably by the Cyber Security and 
Information Assurance (CSIA) Senior Steering Group 
for Cybersecurity Research and Development (R&D), 



the CSIA Interagency Working Group of the federal 
Networking and Information Technology Research 
and Development (NITRD) Program, and by the 
Special Cyber Operations Research and Engineering 
(SCORE) Interagency Working Group. 

Leaping ahead on cybersecurity 

Focused efforts to develop a federal cybersecurity 
R&D strategy gained momentum in 2008 with the 
Leap-Ahead Initiative, a component of the Compre- 
hensive National Cybersecurity Initiative (CNCI) [2]. 
Pursuant to CNCI, OSTP tasked the NITRD Program 
with carrying out the R&D goals of this initiative — to 
coordinate and prioritize R&D efforts and to develop 
strategies for a portfolio of government R&D activities 
to pursue high-risk/high-payoff solutions to critical 
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NITRD Program coordinates federal 
R&D in computing and cybersecurity 

Since 1991, the federal Networking and Infor- 
mation Technology Research and Develop- 
ment (NITRD) Program has been the forum 
for coordinating interagency research activities 
in networking, computing, software, cybersecu- 
rity, and related information technology areas. 
Cybersecurity research is coordinated among the 
agencies in the Cyber Security and Information 
Assurance (CSIA) Interagency Working Group. 

The primary participants are representatives 
from the Defense Advanced Research Projects 
Agency (DARPA), the Department of Homeland 
Security (DHS) Directorate of Science and Tech- 
nology, the Department of Energy (DOE), the 
Intelligence Advanced Research Projects Activity 
(IARPA), the National Institute of Standards and 
Technology (NIST), the National Security Agency 
(NSA), the National Science Foundation (NSF), the 
Office of the Secretary of Defense (OSD), and the 
DoD Service Research Organizations. Along with 
the CSIA Interagency Working Group, the Special 
Cyber Operations Research and Engineering 
(SCORE) Interagency Working Group coordinates 
research related to national security systems. 

The NITRD CSIA R&D Senior Steering Group was 
established in 2008 in response to the Presidential 
Comprehensive National Cybersecurity Initiative 
to define, coordinate, and recommend strategic 
federal R&D objectives in cybersecurity and to 
provide a robust conduit for cybersecurity R&D 
information across the policy, fiscal, and research 
levels of the government. The CSIA Senior Steer- 
ing Group is composed of senior representatives 
of agencies with national cybersecurity leadership 
positions, including the Office of the Director of 
National Intelligence, DoD, DHS, NSA, NSF, NIST, 
the White House Office of Science and Technology 
Policy, and the Office of Management and Budget. 



cybersecurity problems. At the onset, the CSIA Senior 
Steering Group determined that a government-wide 
framework for cybersecurity research was needed 
to provide both the coordination mechanism and 
the strategic directions for R&D. It was also clear 
within the CSIA Senior Steering Group that in or- 
der to achieve high-payoff, transformational results 
in cybersecurity, the framework needed to embody 



the following principles: the research must focus 
on root causes of cybersecurity vulnerabilities (not 
symptoms); the research activities must bring to- 
gether expertise from a range of disciplines, given that 
cybersecurity is a challenge with technological, social, 
and economic aspects; and we must develop endur- 
ing cybersecurity concepts to assure trustworthiness 
of our systems despite changes in technologies and 
cyber threats. 

With these principles in mind, the CSIA Senior 
Steering Group issued three public requests for input 
from October 2008 through April 2009, canvassing 
industry and academia for game-changing ideas that 
could fundamentally change the cyber environment 
into one where the rightful users and owners have an 
advantage over attackers and illicit efforts. Two hun- 
dred and thirty-eight responses were received by the 
CSIA Senior Steering Group. (To view and download 
copies of the responses, see [3].) The Senior Steering 
Groups review of the responses gave rise to five pro- 
spective game-changing categories: hardware-enabled 
trust, cyber economics, moving target defense, digi- 
tal provenance, and nature-inspired cyber health. In 
August 2009, the NITRD Program and OSTP held the 
National Cyber Leap Year Summit where some 150 
researchers from industry, academia, and government 
met for four days to examine the five game-changing 
categories. The Summit provided a forum to review 
the prospective categories, elevate key ideas, and cap- 
ture the output in the Co-Chairs' Report [4] and the 
Participants' Ideas Report [5]. 

Following the National Cyber Leap Year Summit, 
the CSIA Senior Steering Group synthesized the five 
game-changing category reports and established three 
initial cybersecurity R&D themes: tailored trustworthy 
spaces, moving target, and cyber economic incentives. 
These themes were announced [6] at a public event 
collocated with the 2010 Institute for Electrical and 
Electronic Engineers Symposium on Security & Pri- 
vacy. Two months later, the White House released the 
Office of Management and Budget/Office of Science 
and Technology Policy's memo to the agency heads on 
science and technology priorities for the 2012 fiscal 
year budget [7], highlighting the three cybersecurity 
R&D themes and directing agencies to utilize the 
themes in prioritizing cybersecurity R&D budgets and 
programs. The release of the White House memo ac- 
celerated the creation of new programs to focus on the 
three cybersecurity R&D themes. 
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Cybersecurity R&D thrusts 

With the successful release of the framework for 
cybersecurity game-changing R&D, the CSIA Senior 
Steering Group and the CSIA Interagency Work- 
ing Group began developing the federal cybersecu- 
rity R&D strategic plan. Together with accelerating 
research in areas with game-changing potential, four 
areas (or thrusts) were defined by the strategic plan: 

► Inducing change — utilizing game-changing 
themes to direct efforts toward understanding 
the underlying root causes of known threats with 
the goal of disrupting the status quo; the research 
themes in the strategic plan include tailored 
trustworthy spaces, moving target, cyber eco- 
nomic incentives, and designed-in security; 

► Developing scientific foundations — developing 
an organized, cohesive scientific foundation to 
the body of knowledge that informs the field of 
cybersecurity through adoption of a systematic, 
rigorous, and disciplined scientific approach; 

► Maximizing research impact — catalyzing inte- 
gration across the game-changing R&D themes, 
cooperation between governmental and private- 
sector communities, collaboration across inter- 
national borders, and strengthened linkages to 
other national priorities, such as health IT and 
Smart Grid; and 

► Accelerating transition to practice — focusing 
efforts to ensure adoption and implementation 
of the powerful new technologies and strate- 
gies that emerge from the research themes and 
of the activities to build a scientific foundation 
so as to create measurable improvements in the 
cybersecurity landscape. 

The strategic plan deliberately does not focus on 
specific technical challenges, such as more secure op- 
erating systems. Instead, the plan defines desired end 
states and future capabilities, which, if achieved, would 
overcome critical underlying causes of cybersecurity 
vulnerabilities. By defining the end states, the themes 
invite a diversity of approaches and encourage innova- 
tion across disciplines and sectors. The essence of the 
strategic plan is to express a vision for the research 
necessary to develop game-changing technologies 
that can neutralize the attacks on the cyber systems of 
today and lay the foundation for a scientific approach 
that better prepares the field to meet the challenges of 
securing the cyber systems of tomorrow. Altogether, 



the plan provides guidance for federal agencies, re- 
searchers, and the public on how to prioritize research 
activities to achieve the greatest impact. 

Efforts to develop scientific foundations 
in cybersecurity 

In conjunction with the process to formally release the 
strategic plan, the federal agencies with R&D activities 
in cybersecurity began to introduce programs to pur- 
sue the goals outlined within each of these thrusts. In 
support of the thrust embodying the development of 
scientific foundations are representative R&D activi- 
ties such as: 

► The Air Force Office of Scientific Research 
(AFOSR) 201 1 Science of Security (SoS) Multi- 
disciplinary Research Program of the University 
Research Initiative (MURI). The objective of the 
AFOSR 201 1 SoS MURI is to begin the develop- 
ment of an architecture or first principle foun- 
dation to define cybersecurity. The intent is to 
discover and define basic system properties that 
compose system security and other useful attri- 
butes in a manner that allows system properties 
to be verified and validated through theoretical 
proof and/or experiment. 

► NSA SoS lablets. NSA support to academic lab- 
lets is focused on the development of a science 
of cybersecurity and a broad, self-sustaining 
community effort to advance it. A major goal 

is the creation of a unified body of knowledge 
that can serve as the basis of a trust engineer- 
ing discipline, curriculum, and rigorous design 
methodologies. The results of SoS lablet research 
are to be extensively documented and widely dis- 
tributed through the use of a new, network-based 
collaboration environment. The intention is for 
that environment to be the primary resource for 
learning about ongoing work in security science 
and to be a place to participate with others in 
advancing the state of the art. 

► The Army Research Laboratory (ARL) science 
for cyber portfolio. The goal of ARL's science for 
cyber research portfolio is to examine a number 
of issues underlying cybersecurity and to develop 
novel theoretical constructs on which future 
cybersecurity advances can be based. The pro- 
gram explores models for the representation of 
cybersecurity, develops ensemble techniques for 
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improved detection of attacks, and investigates 
behavior as a fundamental indicator in detection 
and analysis. In particular, the research program 
focuses on theories and models that will lead to 
more effective intrusion detection techniques. 

► The National Science Foundation (NSF) Team 
for Research in Ubiquitous Secure Technology 
(TRUST)/Secure and Trustworthy Cyberspace 
(SaTC) Program. TRUST, established as an NSF 
Science and Technology Center, focuses on 
addressing technical, operational, privacy, and 
policy challenges via interdisciplinary projects 
that combine fundamental science and applied 
research to deliver breakthrough advances in 
trustworthy systems in "grand challenge" areas 
such as the science of cybersecurity. In this area, 
TRUST researchers are developing a science base 
for security, with hopes to ultimately leverage 
these views in revising course content and em- 
bodying this theory in tools for system develop- 
ers. Similarly, NSF s SaTC program is focused on 
making cyberspace secure and trustworthy. Re- 
search in cybersecurity must "change the game," 
check the misuses of cyber technology, bolster 
education and training in cybersecurity, establish 
a science of cybersecurity, and transition prom- 
ising cybersecurity research into practice. The 
program recognizes that cyberspace will contin- 
ue to grow and evolve and that advances in the 
sciences and technologies must grow and evolve 
as well, creating new "leap-ahead" opportunities. 

The research in support of the strategic plan thrusts 
represents an increasing portion of the CSIA R&D 
budgets across federal agencies. This also translates 
into greater support of national priorities, such as 
health IT or Smart Grid, where key cybersecurity chal- 
lenges can be addressed by focusing R&D activities 
within the framework of the thrusts. 

Going forward, the execution of the strategic plan 
continues to be a collaborative process among a group 
of stakeholders: OSTP, responsible for policy and 
budgets; the CSIA Senior Steering Group, responsible 
for strategic directions; the CSIA Interagency Working 
Group, responsible for coordinating R&D activities; 
the SCORE Interagency Working Group, responsible 
for coordinating with R&D for national security sys- 
tems; the federal agencies with cybersecurity R&D re- 
sponsibilities; and the private sector. After a deliberate 



and thoughtful process, the nations cybersecurity re- 
search community can focus its energy and resources 
on a shared vision of a trustworthy cyberspace. H 
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It's undeniable that the Internet has had a profound impact on societies across the world. 
Digital communications have developed to the point that we use and depend upon them 
daily in the same way that we depend upon traditional infrastructures and utilities. What 
began in the 1 980's as a novel experiment to improve the survivability of critical military 
communications has evolved into a broad array of information services and commodity 
devices used by the masses. 

Unfortunately there are many risks associated with this technology that are chronicled daily 
in the news — stolen credit card numbers, loss of personal privacy, theft of corporate secrets, 
and even infiltration of sensitive government systems by foreign agents. One reason these 
reports are so commonplace is that the technologies underlying digital communications 
are inherently vulnerable — despite the best intentions of their designers and decades of 
development. Knowing this, most users willingly accept the risks because the capabilities of 
these devices are so compelling and, in many instances, even addictive. NSA is taking steps to 
better understand and develop the science behind cybersecurity. 
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Realizing the need for 
cybersecurity science 

NSA has played an active role in system security for 
over six decades— originally in the area of cryptog- 
raphy for classified communications and later in the 
development of a wide range of technologies to protect 
modern computing systems. To maintain its edge, 
NSA has a tradition of using expert panels for advice 
and guidance in critical technical areas. In 2008, the 
Information Security Panel initiated a discussion 
concerning the scientific underpinning for computer 
security engineering. Their concern stemmed from the 
growing use of commercial off-the-shelf technology 
in critical government systems, and they questioned 
whether the frequency of high profile security fail- 
ures could be attributed to a lack of scientific rigor in 
security engineering. In contrast, they noted that the 
science and engineering associated with cryptographic 
systems, while still imperfect, seemed to result in far 
fewer catastrophic failures. The panel concluded that 
NSAs Information Assurance (IA) Research Group 
should review the state of cybersecurity science and 
consider establishing an initiative to put cyberse- 
curity engineering on par with other established 
engineering disciplines. 

The panels concerns and challenge were welcomed 
as corporate-level acknowledgement of what security 
researchers at NSA and throughout the community 
had come to believe— that a new, strategic initiative 
was needed to advance security from the current 
patchwork of point solutions and ad hoc approaches 
and that resources should be shifted to focus on the 
development of a cohesive and organized body of 
knowledge as a foundation for the field of cyberse- 
curity. The IA research group was convinced that the 
Agency's experience developing strong foundations for 
cryptography provided the model for what might be 
done in cybersecurity science and that the evolution 
of NSAs IA mission into the cyber domain provided 
more than enough motivation for it to take on a 
leadership role. 

Assessing the state of 
cybersecurity science 

Gauging the state of cybersecurity science, or any 
science, requires some method of determining what 
work truly qualifies as science. While there are myriad 



definitions of science that relate to testable hypoth- 
eses—for example, the ability to make predictions 
and the use of methodical procedures— a simplistic 
definition adopted by the IA research group was "any 
work that describes the limits of what is possible! 3 A 
good example of science consistent with this definition 
is Claude Shannons seminal work on channel capacity, 
which established upper bounds on the rate of infor- 
mation transfer through a communications circuit. 
Shannons results have provided the foundation upon 
which much of modern communications engineering 
is based. 

Our simple litmus test provided us with a simple 
and straightforward way to distinguish scientific 
results in our review of security research. We began 
with a high-level review of research papers presented 
at prominent security conferences and then surveyed 
the security curricula of leading academic institutions. 
We concluded that most security work meeting our 
definition of science was concentrated in the areas of 
cryptography, cryptographic protocols, program cor- 
rectness, fault tolerance, and formal methods. Much 
of the other research in security has been concerned 
with models of security (e.g., Bell-Lapadula and Biba), 
heuristic design principles, attack strategies, design/as- 
sessment of security components (e.g., firewalls, filters, 
and virtual private networks), risk assessment, intru- 
sion analysis, etc. Although this body of research has 
contributed to the development of more trustworthy 
systems, it does not contribute to our understanding 
of the science of cybersecurity. 

Overall, we concluded that the results of our re- 
view were consistent with the advisory panel's view 
of cybersecurity science. But an equally important 
conclusion we reached was that making significant 
strides in cybersecurity science would require an effort 
much larger than NSA alone could support. Unlike 
NSAs authority in the field of cryptography, no single 
government organization is charged with responsi- 
bility for cybersecurity technology and its scientific 
foundations. We felt that developing a body of sci- 
ence to support our nations interests in cyberspace 
would require a large, long-term effort supported by 
the combined resources of government, industry, and 
academia. NSAs mission and experience in informa- 
tion assurance, and its six decades of investment in the 
science of cryptography, place it in a unique position 
to provide a leadership role for advancing the science 
of cybersecurity. 
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A holistic approach to 
cybersecurity science 

To socialize the idea of a broad program focused spe- 
cifically on science, we consulted with the other gov- 
ernment organizations that have traditionally spon- 
sored security research. Those discussions resulted 
in a decision to sponsor a workshop to explore the 
topic of cybersecurity science in depth with a broad 
group of representatives from government, academia, 
and industry In November 2008, the Workshop on 
the Science of Security (i.e., science of cybersecurity) 
sponsored by the National Science Foundation (NSF), 
the Intelligence Advanced Research Projects Agency 
(IARPA), and NSA was held in Berkeley, California. 
Attendees included experts from traditional informa- 
tion security fields as well as others from a variety 
of nontraditional fields including biology, econom- 
ics, and sociology. The range of topics discussed was 
equally broad and included such questions as: 

► Is a science of cybersecurity possible? 

► What might a science of cybersecurity look like? 

► How can we reason about problems that seem 
impossibly hard? 

► Is it possible to have scientific security metrics? 

► What lessons can we learn from 
other disciplines? 

Several days of discussions generated a broad and 
divergent set of ideas concerning the possibility of 
developing a science of cybersecurity. But there was 
general agreement on several areas where advances 
were sorely needed. The first concerned the need to 
account for human behavior in models of system 
security. While the difficulty of modeling intelligent 
adversarial behavior has long been recognized as a 
shortcoming in security models, it has also become 
increasingly apparent that a science of cybersecurity 
should account for human behavior associated with 
the overall operation and defense of cyber systems. In 
either case, however, the addition of a human dimen- 
sion was acknowledged to add enormous complexity 
to the task of analyzing and designing secure systems. 

There was also agreement that the ability to produce 
systems that are secure in the real world requires ac- 
counting for important factors beyond just the techni- 
cal aspects of the security mechanisms used. The poor 
adoption rate and ineffective use of available security 
technology over the past several decades were viewed 



as evidence of this. Beyond the role of human behav- 
ior, the impact of financial and business constraints on 
the effectiveness of system security were highlighted. 

While no specific plan of action emerged from the 
workshop, the collection of ideas generated signifi- 
cantly influenced the research programs of numerous 
funding groups, NSA's in particular. In a significant 
departure from past NSA research programs, our new 
cybersecurity science portfolio will seek to include a 
much more diverse set of disciplines than previously 
considered, including human perception, psychol- 
ogy, physiology, economics, data analytics, and 
game theory. 

Strategies for advancing science 

Recognizing the need to improve the scientific foun- 
dations of security was a useful first step, but it didn't 
provide insight regarding what strategy might best 
accomplish this goal. One seemingly obvious and 
straightforward approach was simply to increase 
funding for security research that specifically targeted 
science. It was clear that even sizable increases in 
current budgets — which weren't likely — would fall far 
short of producing the advances needed. But before 
proceeding with any specific strategy, it seemed pru- 
dent to investigate why more science hadn't already 
been produced. Some who have reviewed the broader 
ecosystem in which research is conducted believe that 
current incentives associated with security research 
weren't well suited to producing science. (See Tom 
Longstaff s article on page 14 for more on this sub- 
ject.) This suggested that we should consider a strategy 
aimed at reshaping the incentive system. In the end, 
since it was not clear if either of these approaches 
would produce the desired results, we decided to 
adopt a mixed strategy — one that provides direct sup- 
port for specific science research projects while, at the 
same time, seeking improvements in the overall condi- 
tions for producing science. 

Experiments in funding science 

For decades, government organizations including 
the Defense Advanced Research Projects Agency 
(DARPA), NSF, the Air Force Research Laboratory 
(AFRL), and the Army Research Office (ARO), as well 
as NSA have used direct funding for research targeted 
at specific security topics; so it seemed straightfor- 
ward to apply the same approach for cybersecurity 
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science. NSAs cybersecurity science initiative is 
exploring a number of variations of this strategy to 
assess their effectiveness. One approach, used shortly 
after the conclusion of the Berkeley workshop, pro- 
vides supplemental funding to an ongoing security 
research program (i.e., NSF s Team for Research in 
Ubiquitous Secure Technology Science and Technol- 
ogy [TRUST] Center) specifically to encourage work 
in science. A second approach was adapted from 
industry: it involves funding specific work in science 
at a small number of academic research groups— re- 
ferred to as lablets— at highly qualified institutions. 
The first three lablets, established at Carnegie Mellon 
University, University of Illinois, and North Caro- 
lina State University, were beneficiaries of funding 
provided to NSA that was specifically earmarked for 
cybersecurity science. (See page 46 for more informa- 
tion.) While the initial choice of lablets was limited by 
timing constraints placed on the funding, the number 
of institutions participating in the program increased 
through the inclusion of an outreach requirement for 
each lablet. The last funding approach included in our 
portfolio provides support to specific, high-impact 
problem areas identified through research reviews 
conducted across the security community. Composi- 
tion is one cybersecurity science topic that is currently 
being supported with the goal of understanding how 
the security properties of a system can be derived 
from the properties of its component parts. 

After several rounds of modest NSA funding 
supplements to NSF s TRUST Center, increased at- 
tention is being devoted to science and beginning to 
influence other work and researchers. NSAs lablet 
initiative, formally established in 2012, recently kicked 
off several dozen projects to explore how effective a 
multiuniversity, multidisciplinary team approach can 
be at advancing science and involving nontraditional 
partners. Early work has focused on identifying core 
hard problems in science that must be understood in 
order to deal with the security issues that plague the 
nation. We have long recognized that security research 
does not always lead to scientific understanding, and 
through collaboration with our lablet partners, we are 
maturing our joint understanding of how to shape 
research to maximize its contribution to science. Our 
work funding specific projects in science has just 
begun, but the quality of the investigators and their 
previous contributions to science make us confident 
that these efforts will provide a showcase for cyberse- 
curity science research. 



On applying strong inference to 
cybersecurity science 

Carl E. Landwehr 

In 1 964, biophysicist John R. Piatt observed that 
some scientific fields, such as molecular biol- 
ogy and high energy physics, seem to advance 
more quickly than others, and he argued that the 
use of a method he dubbed "strong inference" 
was responsible [1]. In strong inference, a tree of 
alternative hypotheses is developed and pruned 
in response to the results of critical experiments. 
Piatt's paper created quite a stir at the time and 
has continued to inspire responses over the years. 
(See [2, 3] for two examples.) 

Could this approach speed the development 
of a science of cybersecurity? To investigate this 
question, NSA sponsored a panel at the 201 2 
Institute of Electrical and Electronics Engineers 
Symposium on Security and Privacy. Five cyberse- 
curity researchers active in economics, human be- 
havior, systems, formal methods, and cryptogra- 
phy were asked to assess the suitability and actual 
use of strong inference in their respective fields. 
As organizer of the panel and moderator of the 
discussion, which included lively exchanges with 
the audience, my personal conclusions are that 
strong inference is not widely used in the field at 
present and that its potential benefit is strongest 
in those domains where natural phenomena, 
including human behavior, must be modeled. Its 
benefits are less clear in areas like cryptography 
and formal methods, where mathematics and 
logic predominate. Nevertheless, in any field, the 
intellectual rigor required to formulate a proposed 
research project as a hypothesis-testing exercise 
can only help. 



Broadening research participation 

A funding strategy that targets specific research 
projects unavoidably limits participation to a small 
group of researchers. To significantly broaden partici- 
pation in cybersecurity science we are investigating 
ways to reshape the overall research environment to 
be more conducive to producing science. One goal 
is to increase the perceived value of research that 
advances science, even incrementally, rather than 
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of work that tracks the latest security trends. If suc- 
cessful, we believe we can accelerate the creation of 
a cybersecurity science by leveraging a much larger 
community of researchers. The downside of such an 
indirect approach is that specific research outcomes 
are much less certain and the overall effectiveness of 
the investment is difficult to assess. While influencing 
the research environment seems simple notionally de- 
veloping a practical strategy to do this is challenging. 
Some of the approaches we are investigating include 
challenge problems, competitions, awards for scientific 
papers, and recognition of researchers' achievements. 
The strategy we adopt, as in other cases, will include a 
variety of these techniques. 

Building community 

Our report to NSA's advisory board observed that 
the scope of the effort needed to develop a science of 
cybersecurity was well beyond what NSA could ac- 
complish on its own. But we also noted that NSA was 
in a unique position to lead a community activity to 
make this happen. One of the key aspects of our sci- 
ence initiative has been enlisting the support of NSA's 
many research partners including the Air Force Office 
of Scientific Research, the Department of Homeland 
Security, NSF, DARPA, IARPA, the federal laborato- 
ries, and other groups across the DoD and intelligence 
community. We have also sought the involvement of 
our foreign partners, particularly the UK and Canada. 
Although a government-wide cybersecurity science 
initiative does not yet exist, we have attempted to co- 
ordinate the collection of research projects to provide 
cohesion and balance. 

In the past several years there has been a ground- 
swell of interest in creating more robust scientific 
foundations for cybersecurity. Today, there are nu- 
merous cybersecurity science activities underway, 
with more being planned, and keeping track of them 
is becoming increasingly difficult. To deal with this 
problem and to encourage the development of a com- 
munity surrounding work on cybersecurity science, 
NSA has taken a lead role in developing a web-based 
Science of Security Virtual Organization (SoS VO). 
This work leverages the Virtual Organization collabo- 
ration infrastructure developed by NSF to support 
its Cyber-Physical Systems (CPS) program. (Visit the 
CPS Virtual Organization at cps-vo.org.) The goal for 
the SoS VO is to provide "one stop shopping" for any- 
thing related to cybersecurity science. The website will 



provide information on conference events, research 
sponsors, current research programs, notices of future 
initiatives, research tools and data, etc. The research 
produced by these activities will be made available for 
review and distribution, and a future goal is to provide 
video streams of research reviews for wide viewing. 
The site is also intended to encourage and support col- 
laboration by providing a variety of social networking 
features including discussion forums, chat, researcher 
blogs, and lists of challenge problems. (See article on 
page 20 for more information about the SoS VO.) 

Transitioning findings to practice 

New security systems continue to be developed 
despite limitations in existing science, so developers 
must make do with whatever practices are available, 
however imperfect. Because of this, an important 
consideration in our initiative is the rapid transition of 
emerging scientific results into the practice of security 
engineering. In our cybersecurity science lablet 
program, for example, we are seeking opportunities 
to develop courses that capture new science and to 
augment existing courses with improved scientific 
foundations. As new material is developed, we intend 
to leverage relationships with the National Institute of 
Standards and Technology and NSA's own Centers of 
Academic Excellence program in order to influence 
the design of new systems and future generations 
of developers. (For more information about NSA's 
Centers of Academic Excellence, visit http://www.nsa. 
gov/ ia/ academic_outreach/ nat_cae.) 

Measuring progress 

Although the resources currently invested in cyber- 
security science are relatively modest compared with 
other research areas, responsible program managers 
will still need to track the return on their investment. 
So, how can progress in cybersecurity science be mea- 
sured? While breakthrough discoveries and near-term 
impact are always hoped for, scientific advances are 
often incremental and produced over periods mea- 
sured in decades. Therefore, expectations for signifi- 
cant results need to be circumspect and mindful of the 
many ways in which scientific advance is observed. 
Types of scientific progress include: 

► Finding the new — discovering 
scientific breakthroughs; 
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► Taking a fresh look — developing useful new 
ways to look at a given set of data; 

► Finding patterns — discovering and explaining 
patterns in phenomena across time; 

► Finding connections — linking theories and ex- 
planations across multiple fields of research; and 

► Influencing others — stimulating further re- 
search, including research outside the field, and 
collaboration across different fields. 

In addition, scientific progress may be seen in mea- 
sures that show rising interest and excitement about a 
new field, including [4] : 

► Established scientists begin to work in a 
new field; 

► Highly promising junior scientists choose to pur- 
sue new concepts, methods, or lines of inquiry; 

► Students increasingly enroll in courses and pro- 
grams in a new field; 

► The rate of publications in the field increases; 

► Citations to publications in the field in- 
crease in both number and range across other 
scientific fields; 

► Publications in the new field appear in 
prominent journals; 

► New journals or societies appear; and 

► Ideas from the field are adopted in other fields. 

Conclusion 

NSA's long-standing investment in cryptographic 
science and engineering has yielded the most robust 
encryption technology in the world. But the protec- 
tion of our nations cyber systems demands security 
design and analysis techniques that encompass much 
more than cryptography, yet are comparably grounded 
in science. While we do not expect that a science of 
cybersecurity can guarantee complete protection 
against cybersecurity threats any more than safety sci- 
ence can guarantee risk-free transportation, it should 
provide us with greater certainty about the capabilities 
and limitations of our security mechanisms, allowing 
us to make well-informed risk decisions. NSA's cyber- 
security science initiative is the first step in a long- 
term endeavor to develop the broad understanding of 
security that we need to protect our national interests 
in cyberspace. H 
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Barriers to 
achieving a science 
of cybersecurityf*^ 



Tom Longstaff 




Several recent reports, such as the JASON "Science of cyber-security" report [1 ], point to 
examples and approaches for achieving success in applying science to cybersecurity. 
Audiences everywhere enthusiastically agree and thrash themselves for bypassing science all 
along, bemoaning the fact that we could be "so much further along" if we only did science. 
Of course, after the presentation is over, everyone goes back to the methods that have 
been used throughout our generation to create prototypes and tools with no regard for the 
scientific principles involved. Why? 



During the winter of 2009, an informal group 
of three cybersecurity researchers — Roy 
Maxion from Carnegie Mellon University 
Tom Longstaff from Johns Hopkins Applied Physics 
Laboratory, and John McHugh from the University 
of North Carolina — pondered this question based on 



their collective experience. The results of their discus- 
sion generated a presentation at the 2010 Annual 
Computer Security Applications Conference and a 
National Science Foundation (NSF) Washington Area 
Trustworthy Computing Hour (WATCH) lecture on 
March 15, 2012. (A transcript of the lecture can be 
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found here, http://www.nsf.gov/events/event_summ. 
jsp?cntnJd=123376&org=NSE) 

At the NSF WATCH lecture, Tom Longstaff dis- 
cussed some barriers to achieving a science of cyberse- 
curity within the cybersecurity culture— barriers that 
seem to prevent well-meaning researchers from taking 
a more scientific approach to cybersecurity projects. 
Three of these barriers are described below. 

1 Research begins after a conference 
is announced. 

The informal group recognized that the publication 
cycle for cybersecurity papers is very short in compar- 
ison to other scientific fields, such as physics, chem- 
istry, or psychology. The group noted that in other 
fields research is completed far in advance of a call for 
papers. In cybersecurity, however, common practice 
is to begin the research after a particular conference 
or venue is identified, often within six months of the 
submission deadline. 

^ Program committees lack scientists. 

The members of the informal group had been on 
many program committees before. They recognized 
that such committees were often made up of nonsci- 
entists who did not recognize or value the material in 
a scientific cybersecurity paper. Thus, papers accepted 
by these committees often did not include a methodol- 
ogy section, nor were authors encouraged to provide 
enough information to make their results repeatable 
or reproducible. 

3 Publications favor articles about 
novelties in the field. 

Finally, cybersecurity publications typically prefer 
articles or papers that indicate entirely new directions 
in cybersecurity, rather than incremental approaches 
that better describe the causal relationships found in 
cybersecurity. Being aware of this preference, authors 
do not spend time executing careful scientific experi- 
ments that lead to incremental approaches, but instead 
speculate or quickly produce a novel prototype. 

While there are many incentives that could be add- 
ed to address these three barriers, several were called 
out specifically in the WATCH lecture as likely to have 



a good long-term impact on the field of cybersecurity. 
They are to: 

► Encourage the publication of longer- duration 
research in cybersecurity through preferential 
acceptance of such research in conferences 
and journals, 

► Leverage the knowledge of traditional physical 
scientists in structuring scientific publications 
by encouraging coauthorship and collaboration 
with cybersecurity researchers, 

► Train computer science students to use the 
scientific method through the development 
of new courses in experimental research 
and publication, 

Sponsor conferences and journals that 
promote the scientific method as a main 
acceptance criterion, 

► Require authors of papers to use scientific rigor 
in their construction for sponsored conferences 
and journals, 

► Create a publicly available body of knowl- 
edge consisting of a scientific publication in 
cybersecurity, and 

► Create an explicit separation between scientific 
contributions and technological contributions 
(and reward scientific contributions). 

Cybersecurity culture is rooted in performing 
rapid prototyping and programming ad hoc solu- 
tions to engineering problems. Changing this culture 
and overcoming the barriers described above will be 
difficult, but the benefits of encouraging science in 
cybersecurity will be well worth the effort. H 
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Funding research for a science 
of cybersecurity: The Air Force 
makes it a mission I „ 

Dr. Robert Herklotz 



The Air Force Office of Scientific Research (AFOSR) plans, coordinates, and executes the 
Air Force Research Laboratory's basic research program. AFOSR's technical experts 
identify and fund long-range technology options at Air Force, university, and industry 
research laboratories. This support ensures the timely transition of research results that 
lead to revolutionary scientific breakthroughs, enabling the Air Force and US industry to 
produce world-class, militarily significant, and commercially valuable products. Such research 
is inherently risky, sometimes outside of the mainstream, and often requires an extended 
period of support. This article describes several AFOSR initiatives that focus on the science of 
[cyber]security (SoS).The initiatives include a Multidisciplinary University Research Initiative 
(MURI), a Young Investigator Program (YIP) grant, and a Basic Research Initiative (BRI). 



Multidisciplinary University 
Research Initiative (MURI) 

In 2010, the deputy director for cybersecurity in the 
Information Systems and Cyber Security Directorate 
of the Assistant Secretary of Defense for Research 
and Engineering (ASD(R&E)) requested the AFOSR 
to fund a MURI focused specifically on the sci- 
ence of [cyber] security (SoS). The MURI program is 
DoD-wide and complements other DoD programs 
that support university research through the single- 
investigator awards. The MURI supports the research 
of teams of investigators whose backgrounds inter- 
sect multiple traditional science and engineering 
disciplines in order to accelerate research progress. 
The government team for this effort was led by Dr. 
Robert Herklotz, AFOSR, and included support from 



a number of research funding organizations includ- 
ing the Air Force Research Laboratory/Information 
Directorate; the Army Research Office; the Office of 
Naval Research; the National Science Foundation; 
the National Security Agency; the National Institute 
of Standards and Technology; and the Office of the 
Director, Defense Research and Engineering (now 
the ASD(R&E)). 

The SoS MURI was prompted by the widely held 
belief in the security community that cybersecurity 
has been pursued largely as a reactive effort, with an 
endless cycle of new attacks and defensive responses. 
Many security experts have come to believe this cycle 
cannot be broken because todays information tech- 
nology systems are too complex to ever be modeled 
with formally defined and verified security properties. 
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In fact, no formal definition of cybersecurity de- 
scribed in terms of system properties has yet been 
produced, let alone metrics capable of measuring 
those properties. 

The objectives of the SoS MURI, as presented in the 
proposal solicitation, are to begin the development of 
an architecture or first principle foundation to define 
cybersecurity for such systems, to discover and define 
basic system properties that comprise system security 
and other useful attributes, and to identify system 
properties that can be verified and validated through 
theoretical proof and/or experimentation. A primary 
goal is to answer the following questions through the 
discovery and analysis of basic system properties: 

► Can the system enforce the desired security poli- 
cies in each system component? 

► Can the system enforce the desired security 
policies across all system components si 
multaneously? If so, what are the secu 
rity properties of the whole system? 

► Can system capability, as defined 
in the first two bullets above, de- 
fend against each class of attack, 
once classes of cybersecurity 
attacks are defined? 

► How can we formally define 
cybersecurity policies and mecha- 
nisms (including defense, monitor- 
ing, response, etc.) and assess their 
effectiveness against classes of attacks? 

► Can an adversarial process model be formally 
defined that is capable of generating known 
classes of attacks? 

► Can we define metrics for basic system proper- 
ties and for the ability of a system to enforce 

a security policy that defends against a class 
of attacks? 

► Can we define system properties and metrics 
dealing with system characteristics, such as scal- 
ability, adaptability, ease of use, etc., in order to 
compare alternative system designs? 

The development of theoretical underpinnings (i.e., 
system properties and relationship to policies) and 
the theories and metrics (i.e., relationships between 
attacks, defenses, and policies) will allow us to create 
system engineering methodologies that can perform 
rigorous design trade-offs among cybersecurity 



properties, as well as other properties, in the de- 
velopment of complex systems. In addition, this 
research will: 

► Enable the creation of new technologies and sup- 
porting tools grounded on sound principles, 

► Establish a baseline for comparing technology 
capabilities among vendors, 

► Encourage the creation of a new industry for 
security software engineering technologies, and 

► Reduce development costs by providing scientifi- 
cally supported evidence of security properties 
rather than applying exhaustive testing to look 
for evidence of insecurity. 

The winning MURI proposal 

The winning proposal, announced April 22, 
2011, is entitled "Science of cybersecu- 
rity: Modeling, composition, and 
measurement." The work is to be 
performed by a multiuniver- 
sity team of researchers led by 
Professor John C. Mitchell of 
Stanford University. 

Professor Mitchell s team 
proposed research to advance a 
science base for trustworthiness 
fsjSr by developing concepts, relation- 
ships, and laws with predictive value. 
Their work will focus on problem areas 
amenable to rigorous treatment and general - 
izable solutions and is organized around the following 
three thrust areas: 

1. Security modeling. A uniform approach to secu- 
rity modeling will allow systematic approaches 
to be developed and applied to a broad range of 
richly connected systems, supporting analysis 

of resilience against graduated classes of clearly 
defined threat models. 

2. Secure composition. Principles of secure com- 
position will be developed, analyzed, and evalu- 
ated for systematic and modular construction of 
trustworthy systems, relative to security proper- 
ties that can be verified and validated through 
theoretical proof and/or experimentation. 

3. Security measurement. New security mea- 
surement concepts will be devised and used to 




The Next Wave | Vol. 19 No. 4 | 2012 | 17 



Funding research for a science of cyber security: The Air Force makes it a mission 



determine relative strengths of defense mecha- 
nisms, whether security improves from one 
version of a system to another, and when ad- 
ditional security mechanisms are warranted, 
given incentives associated with system attackers 
and defenders. 

Together, the advances anticipated for these three 
complementary thrusts will support a science base for 
future systems that proactively resist attacks through 
secure design, development, and implementation 
based on principled foundations. 

Young Investigator Research Program 

On January 1 1, 2012, the AFOSR announced it would 
award approximately $18 million in grants to 48 scien- 
tists and engineers who submitted research proposals 
through the Air Forces Young Investigator Research 
Program (YIP). 

The YIP is open to scientists and engineers at 
research institutions across the US who received a 
PhD or an equivalent degree in the last five years and 
show exceptional ability and promise for conduct- 
ing basic research. The objective of this program is to 
foster creative basic research in science and engineer- 
ing, enhance early career development of outstanding 
young investigators, and increase opportunities for the 
young investigators. 

Among the 2012 winners was Michael Clarkson, 
assistant professor in the Department of Computer 
Science at the George Washington University. His 
YIP proposal, "Making cybersecurity quantifiable," 
is focused on further development of his PhD the- 
sis on hyperproperties, a very promising tool for 
security science. 

Basic Research Initiative on cyber trust 
and suspicion 

On March 27, 2012, the AFOSR announced a Basic 
Research Initiative (BRI) to build the foundational 
understanding of human trust and suspicion in the 
cyberspace domain. Cyberspace operations rely heav- 
ily on the degree to which users trust, or are suspicious 
of, their information technology systems. To date, 
there has been little or no work in providing any uni- 
fied/comprehensive treatment of the impacts of social, 
cultural, economic, political, and emotional factors (to 



name a few) underlying trust and suspicion, especially 
in complex systems. 

The winning proposal, "A social, cultural, and emo- 
tional basis for trust and suspicion," led by Dr. Eunice 
E. Santos of the Institute of Defense and Security at 
the University of Texas, El Paso (UTEP), was funded 
on September 14, 2012. Her team, which includes 
UTEP, Syracuse University, the University of Tulsa, 
the University of Houston, and Assured Information 
Security, Inc., proposed research to develop a model 
of system users and managers and insider behavior 
that accounts for and explains the social, cultural, and 
emotional basis for trust and suspicion. 

Among the questions their research will 
address are: 

1. How can different people be swayed (or sway 
others) based on trust or suspicion? 

2. How and why do group member sociocultural 
characteristics, group size, information sharing 
patterns, and events affect group cohesion? 

3. Is it possible to detect significant drops in situ- 
ational awareness or when the level of trust is 
inappropriate in a given context? 

4. What are the critical interrelationships between 
information, emotional responses, situational 
awareness, influences on decision making, and 
associated changes in task performance? 

5. How do complex multiscale and multilevel fac- 
tors affect insider threat detection? 

6. Lastly, and most importantly, can this research be 
unified into a single overarching framework of 
social, cultural, and emotional factors underlying 
trust and suspicion? 

The end product of their project is a methodology 
that can be used to better understand system users 
and managers and the insider threat by providing the 
social, cultural, and emotional basis of human behav- 
ior in the cyber domain and the impacts of trust and 
suspicion on cyberspace operations. 

A legacy of research 

The AFOSR was born out of the need to address a 
long-standing shortfall in military basic research. 
This deficiency became obvious during World War II, 
when massive civilian-led research and development 
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efforts were required to create the technology needed 
for our nation to dominate warfare in a physical battle 
space. Today the AFSOR continues its original mis- 
sion by investing in the development of basic research 
to support domination of the emerging battle space in 
the cyber domain. Just as a well understood scientific 
foundation is necessary for secure and safe physical 
systems, a science of cybersecurity is needed for safety 
and security in the cyber world. To learn more about 
the AFOSR basic research program funding opportu- 
nities, download the broad agency announcement (i.e., 
BAA-AFOSR-2012-0001) from https://www.fbo.gov/ 
spg/USAF/AFMC/AFOSR/BAA-AFOSR-2012-0001/ 
listing.html. H 
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Advancing the science of 
cybersecurity with a virtual 
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Origins 

The National Science Foundation (NSF)'s 
Cyber- Physical Systems (CPS) program is a 
research initiative to support the development 
of systems that combine physical, computing, and 
communications components at very large scale and 
high complexity. Cyber-physical systems are not the 
traditional desktop computers, embedded/real-time 
systems, and sensor nets with which we are familiar 
today They are characterized by cyber capabilities in 
all physical components, networking at multiple and 
extreme scales, high degrees of automation, dynamic 
reconfiguration and reorganization, and extreme re- 
quirements for dependability and reliability Although 
cyber-physical systems are currently being planned 
and developed to support applications in numerous 
areas (e.g., the smart power grid, smart healthcare, and 
smart transportation), the scientific understanding 
and engineering tools needed to realize such systems 
with high-confidence reliability and dependability 
are lacking. 

The CPS Virtual Organization (CPS VO), an off- 
shoot of the CPS program, was envisioned as a tool 
to promote and support a broad spectrum of col- 
laborative interactions among researchers to assist 
in solving complex, crosscutting problems requiring 
expertise from multiple domains. The CPS VO pro- 
vides a web-based gathering place and clearinghouse 
for knowledge relevant to cyber-physical systems and 



to advance the theory, engineering, and operation of 
cyber-physical systems. A primary objective of the 
CPS VO is to overcome some of the major impedi- 
ments to progress in complex systems science, such 
as the lack of integration and cross-fertilization of 
numerous traditionally isolated disciplines. The NSF 
intended the CPS VO to enable electronic community 
building and to provide a vehicle for sharing informa- 
tion among otherwise disparate researchers, students, 
educators, and industry practitioners within the grow- 
ing cross-disciplinary field of cyber-physical systems. 

Vanderbilt University was selected by NSF to 
develop and manage the CPS VO. It was built us- 
ing DRUPAL, a widely used, free, and open- source 
content management system that provides the back 
end for at least two percent of all websites worldwide, 
including whitehouse.gov. The system is flexible and 
highly customizable, providing a rich set of capabili- 
ties for the CPS VO user community. The CPS VO 
was initially used to advertise the activities of the CPS 
program and to establish electronic forums for many 
of the common interest groups (e.g., medical, automo- 
tive, aviation, education, and architectures) within the 
national High Confidence Software and Systems Co- 
ordinating Group. The High Confidence Software and 
Systems Coordinating Group (HCSS CG) is part of 
the national Networking and Information Technology 
Research and Development (NITRD) Program. (For 
more information on NITRD, see www.nitrd.gov.) 
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Establishing a virtual organization for 
cybersecurity science 

At a high level, NSF's CPS program and the federal 
cyber-physical systems research portfolio can be seen 
as a broad research initiative intended to develop the 
scientific foundations for designing complex systems. 
Many of the activities associated with cyber-physical 
systems have focused on identifying the technical 
challenges associated with various types of complex 
systems. In late 2010, NITRD agencies, led by NSA 
and NSF, launched one such activity related to the sci- 
ence of dependable and secure cyber-physical systems. 
This effort culminated in the Workshop on Foun- 
dations of Dependable and Secure Cyber- Physical 
Systems, held as part of CPS Week 201 1 in Chicago, 
Illinois. (For more information, see https://www.tmst 
stc.org/ conferences/ 11/ CPS Week/ program.htm) . 

The workshop focused on topics that addressed 
fundamental challenges of making cyber-physical sys- 
tems secure, dependable, and trustworthy. Particular 
emphasis was placed on the control and verification 
challenges arising from the complex interdependen- 
cies among networked systems. Such systems are in 
widespread use today, controlling the operation of 
critical infrastructures such as power transmission, 
water distribution, transportation, healthcare, building 
automation, and process control. The combination of 
various factors— including the widespread use of com- 
modity components, Internet connectivity, and the 
malicious intents of hackers and cybercriminals — have 
made these types of systems extremely vulnerable. 
Despite attempts to apply security-oriented design 



guidelines and policies, much remains to be done to 
achieve a scientifically grounded and principled design 
approach to security, trustworthiness, and dependabil- 
ity in these systems. 

The 201 1 workshop was a first formal attempt to 
foster collaboration among researchers from a variety 
of fields including control and systems theory, embed- 
ded systems, game theory, software verification and 
formal methods, and computer security. One impor- 
tant outcome of the workshop was the recognition that 
the science of cybersecurity was critical to the overall 
success of the CPS program and of the cyber-physical 
systems field. This recognition aligned with the vision 
that had been previously put forward by the NITRD 
HCSS CG cochairs in a white paper to the Office of 
Science and Technology Policy (OSTP) titled "Win- 
ning the future with science and technology for 21st 
century smart systems." Workshop recommendations 
went even further, recommending that a virtual orga- 
nization dedicated to cybersecurity science be estab- 
lished within the CPS VO— the Science of Security 
Virtual Organization (SoS VO). 

Growing interest in 
cybersecurity science 

At the same time as the CPS program moved toward 
creating a distinct cybersecurity science group, a 
number of governmental initiatives in cybersecurity 
science began appearing from organizations across 
the broader cybersecurity community, including 
several outside of the US. Unfortunately, without the 
benefit of any centralized resource to help coordinate 
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their efforts, these activities developed in isolation. As 
information about these efforts became more widely 
available, it became clear that the SoS VO could serve 
an even more valuable role if it provided a focal point 
for all things cybersecurity science related. Together, 
through NSA leadership and sponsorship, Vanderbilt's 
design goal for the CPS VO was augmented to provide 
a portal with a rich set of collaboration and sharing 
capabilities, leveraging and extending NSF s invest- 
ment to support an enhanced data repository and 
content management system. This coordinated effort 
served well the interest of both the CPS VO and SoS 
VO communities. While this approach was signifi- 
cantly more ambitious, it offered better opportunities 
for advancing work in both cyber-physical systems 
and cybersecurity science much more quickly and 
efficiently. The integrated approach and the resulting 
extended capabilities will benefit other cyber-physical 
systems special interest groups as they begin building 
their online communities. 

Content is king, search is queen 

From its inception, the CPS VO was intended to 
grow into an established research resource by offer- 
ing a storehouse of information with a robust search 
capability to mine it efficiently. Achieving this goal 
meant that the virtual organization needed to attract 
a large user population and provide services that were 
valuable, engaging, and easy to use. These objectives 
were adopted as the guiding principles for all decisions 
made in augmenting support for the SoS VO. The 
target audience was expanded to include researchers, 
program managers, educators, funding agents, system 
designers, and students — almost anyone having an in- 
terest in cybersecurity science. Attracting such a broad 
group meant the SoS VO had to provide an extensive 
and useful assortment of information, accessible intui- 
tively and efficiently — a very tall order. If the SoS VO 
is able to create an enduring engagement center for 
cybersecurity science, user-contributed content should 
generate value and further help to build a cybersecu- 
rity science community. 

Evolving an SoS VO capability 

After a careful assessment of the needs identified for 
the SoS VO, a plan was developed to roll out new 
capabilities in three basic areas. The first set of capa- 
bilities was geared toward establishing the SoS VO as 



a focal point for information about ongoing activities 
related to cybersecurity science and as a repository 
for significant research results. The second phase of 
development would place emphasis on community 
development, information sharing, and interaction 
among researchers in the field. The last, and most am- 
bitious, set of capabilities envisioned for the SoS VO 
would help to establish and support true collaboration 
in advancing cybersecurity science. (See figure 1 for a 
screenshot of the SoS VO home page.) 

SoS VO capability phases 

► Phase 1 . Build a resource center. 

Creating a centralized information resource on 
cybersecurity science activity is the first step 
planned for the SoS VO and is key to helping 
establish a community. An important goal of 
this phase involves identifying and collecting 
information about the disparate cybersecurity 
science work currently being performed. Pro- 
viding descriptions and contact information for 
the organizations conducting and supporting 
cybersecurity science work is a priority, as well as 
advertising new program funding opportunities. 
For organizations currently producing reports 
related to cybersecurity science, the SoS VO 
intends to provide a centralized library for 
cataloging, analyzing, searching, and distribut- 
ing information. A calendar of events related to 
cybersecurity science is a core capability of the 
SoS VO and will appear early with the ability to 
sync to users' individual calendars. 

► Phase 2. Cultivate collaboration with 
virtual tools. 

The second phase of planned SoS VO capabilities 
is intended to expand the reach of cybersecurity 
science information to a much broader commu- 
nity of users. One of the exciting features being 
developed will allow videos of research reviews 
to be viewed online in both real-time stream- 
ing and archived formats. This capability should 
permit users to become involved much more 
easily in reviews without the time and budget 
constraints of long distance travel. Discussion 
forums, blogs, content subscriptions, chat, wikis, 
and user profiles are being created to permit in- 
creased interaction among users and to promote 
simple forms of collaboration. 
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FIGURE I.The Science of Security Virtual Organization (SoS VO) enables those interested in cybersecurity science 
to survey current research; stay current on news in the field; find out about events related to cybersecurity 
science; collaborate with others using chat, video conferencing, and forums; share work by uploading documents 
and creating wikis; and access educational resources contributed by members. Visit cps-vo.org/group/SoS to 
learn more. 
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► Phase 3. Strengthen collaboration with 
social networking. 

Ultimately, the capabilities delivered by the 
SoS VO, as well as the CPS VO, were conceived 
to promote community collaboration in order 
to advance science. The features deployed in the 
first phases of the SoS VO should help to cre- 
ate a broad community of users and establish a 
focal point for their interactions. But it is the last 
group of capabilities offered by the SoS VO that 
should enable the type of robust collaboration 
desired by blending elements of social network- 
ing with a rich set of communication and re- 
search tools. Some of the features currently being 
planned in this phase include: 

» Research toolsets and datasets; 

» On-demand video conferencing; 

» Desktop sharing; 

» Individual user space, dashboard, etc.; 

» Interface personalization; 

» Subscription services; 

» Cybersecurity science-related newsfeeds; 

» A multimedia library; and 

» Open research support. 

SoS VO rollout 

The establishment of the SoS VO is founded on the 
beliefs that open collaboration can play a key role in 
advancing cybersecurity science and that the avail- 
ability of a platform where researchers can share, col- 
laborate, and learn is vital to building community. The 
structure and features of the SoS VO attempt to lever- 
age popular features provided by social networking 
technology with rich domain-specific content to create 
a focal point for cybersecurity science research. The 
pilot version of the SoS VO has evolved dramatically 
in form and content since its inception in 201 1, and 
it will continue to evolve as user feedback is received 
when it becomes operational and as the cybersecurity 
science community matures. H 
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UK's new Research Institute 
investigates the science 
of cybersecurity 




How do we know when we are "secure enough"? How do we decide how best to spend our 
precious security budget? How do we reduce our reliance on individual expert judgement 
and make better, more objective security decisions? It is always challenging to bring 
scientific rigor to bear on a complex, real world problem, and this challenge applies in spades 
to the relatively young discipline of cybersecurity. Practitioners must work hard to stay on top 
of ever changing technologies and a rapidly evolving threat environment, and simply keeping 
abreast of "best practice" is challenging. Yet we must — if we want to ever get ahead of the curve — 
develop a more systematic, rigorous approach based on foundational scientific knowledge 
and understanding. 

The UK government recently announced the formation of a virtual Research Institute to improve 
understanding of the science behind the growing cybersecurity threat. The Institute, which is 
funded by a £3.8 million grant ($6.14 million US), is part of a cross-government commitment 
toward increasing the nation's academic capability in all fields of cybersecurity. 
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Established by the Government Communications 
Headquarters (GCHQ), in partnership with the UK 
Research Councils (RCUK) and the Department for 
Business, Innovation and Skills (BIS), the Research 
Institute is a virtual organization involving seven uni- 
versities. It will allow leading academics in the field of 
cybersecurity, including social scientists, mathemati- 
cians, and computer scientists from across the UK, to 
work together. It will also connect them with the col- 
lective expertise of industry security experts and inter- 
national researchers in the field— with a particularly 
close relationship expected with the US. The Research 
Institute opened for business on October 1, 2012, and 
is funded for a period of three and a half years. 

Universities were selected following a tough com- 
petitive process in which they had to devise new re- 
search programs to address one of two key challenges: 

► How secure is my organization? 

► How do we make better security decisions? 

Addressing these very practical challenges requires 
a blended approach from researchers, drawing from 
both technological and behavioral disciplines. Four 
teams were successful: 

► University College London, working with Uni- 
versity of Aberdeen; 

► Imperial College, working with Queen Mary 
College and Royal Holloway, University 

of London; 

► Royal Holloway, University of London; and 

► Newcastle University, working with 
Northumbria University. 

University College London (UCL) was selected 
to host the Research Institute, with Professor Angela 
Sasse taking the role of director of research. At the 
press launch, Sasse acknowledged the strong multi- 
disciplinary nature of the research portfolio, saying, "I 
am delighted to be leading the new Research Institute. 
This is an opportunity to work closely with colleagues 
from different scientific disciplines to tackle the tech- 
nical, social, and psychological challenges that effec- 
tive cybersecurity presents." 

As well as being cross-disciplinary, the research 
portfolio is an exciting blend of theoretical work 
and experimentation in "the field"— with "the field" 
meaning real organizations, operational information 
technology (IT) systems, and real, live users. The work 



is unusual in being focused firmly on improving se- 
curity within organizations rather than for individual 
citizens. It is equally applicable to governmental or 
commercial organizations. The collaborative approach 
between academia, industry, and government will 
ensure that research is relevant and inspired by real 
world, cutting edge security issues. 

The winning projects 

UCL's project is entitled "Productive security: Improv- 
ing security compliance and productivity through 
measurement" and will focus on the behavior of users 
within the workplace. This work builds on a growing 
body of evidence that security policies and control are 
not fully effective because employees either cannot 
or will not comply with them [1, 2]. A key reason for 
noncompliance is the combination of employee work- 
load and the complexity of security controls chosen. 
Yet many security decision makers do not factor the 
impact on employees, their tasks, and the company's 
business processes into their decision about which 
security controls to put in place. Current attempts to 
educate employees about the need for security are of 
questionable effectiveness because they simply push 
more information on people who are already over- 
worked. Even in organizations with high security 
awareness, noncompliance can be observed because 
the security policy causes excessive friction or is not 
agile enough to meet the needs of the business [3, 4]. 

The project will work with at least two major com- 
panies to collect data on employees' workload, risk 
perception, and the resulting security behaviors. It will 
use that data to develop a decision support model to 
allow security professionals to balance the impact of 
security controls on employees and business processes 
against the risk mitigation the controls can achieve. 

The lead researchers are Professor Angela Sasse 
of UCL and Professor David Pym of University 
of Aberdeen. 

In contrast to UCL, the three-party team led by 
Imperial College will work on the Research Institute's 
most heavily theoretical program. The project, "Games 
and abstraction: The science of cybersecurity," will 
develop new approaches to decision support based on 
mathematical game theory. The project is academically 
ambitious in attempting to combine three major dis- 
ciplines: game theory, machine learning, and abstract 
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interpretation. For example, 
no connection has been 
established so far between 
abstract interpretation and 
these other areas. 

Game theory, the theory 
developed for the mathemat- 
ical analysis of multiperson 
strategic decision making 
[6], has been increasingly 
applied in the last decade in 
cybersecurity. Examples of 
applications can be found 
in the fields of intrusion 
detection systems, anonym- 
ity and privacy, economics 
of network security, and 
cryptography. A state of the 
art survey of these applica- 
tions is given in Alpacan and 
Basar s Network Security: A 
Decision and Game Theoretic 
Approach [7]. This new work 
will build on the game theoretical model developed 
by Lye and Wing [5]. A limitation of this work is 
that the attacker model is based on a set of known 
strategies; part of the proposed research is to extend 
the approach to deal with previously unseen at- 
tacks (e.g., zero days) and emerging behaviors. The 
research objectives are to: 

► Model complex scenarios by developing 
mathematical abstraction techniques for 
stochastic games, using techniques originat- 
ing in probabilistic abstract interpretation and 
machine learning; 

► Provide a precise way to analyze how results of 
optimal behavior in the abstract models relate 
to the optimal or near-optimal behaviors in 
complex real scenarios; and 

► Demonstrate the results by proof-of-concept 
implementations and test on realistic data 
provided through empirical studies. 

The lead researchers are Professor Chris Han- 
kin of Imperial College; Professor Dusko Pavlovic 
of Royal Holloway, University of London; and Dr. 
Pasquale Malacaria of Queen Mary College. 

Royal Holloway, University of London's project 




FIGURE I.The University College London will host the Research Insitute, a virtual 
organization that will bring together cybersecurity experts from around the world. 



is entitled "Cybersecurity cartographies." Its goal is 
to develop ways of visualizing the different means in 
which both people and technology protect important 
data. The project brings together the disciplines of art 
and design, network security, and organizational secu- 
rity in order to develop a range of visualization tech- 
niques that better inform security managers about the 
strength of data protection across their cyber estate. 

Security managers use a combination of organi- 
zational, physical, and technical controls to provide 
robust information asset protection. Control lists, such 
as those in Annex A of ISO 27001 (i.e., an informa- 
tion security management system standard), have long 
acknowledged the need for the three types of control, 
but no methods are available to systematically com- 
bine them. In addition, risk management techniques 
do not include visualization methods that can present 
a combined picture. To address these gaps, the project 
will further develop existing research on the influence 
of cultural and organizational techniques on policy 
compliance [8]. It will also develop techniques to 
combine interpretive cartography with informational 
cartography using a visualization framework [9]. In 
addressing these gaps, the work will help security 
managers to develop well informed trade-offs between 
security and other business drivers, while supporting 
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FIGURE 2. The Research Insitute's director of research is 
Professor Angela Sasse of University College London. 



their existing skills and expertise. 

The lead researcher is Dr. Lizzie Coles-Kemp of 
Royal Holloway, University of London. 

Finally, Newcastle University is working on the 
project "Choice architecture for information security." 
Newcastle's research hypothesis is that there exists a 
rigorous choice architecture which will nudge deci- 
sion makers to make demonstrably better information 
security decisions. Newcastle's approach takes inspira- 
tion from the work on nudging from the behavioral 
economics community [10]. Nudging provides a 
framework to influence decision makers in a subtle 
way. The theory will be applied to scenarios relating to 
consumerization [11] (i.e., the use of personal devices 
in the workplace) and will also be relevant to the 
broader issue of work-life integration (i.e., the blurring 
of the boundaries between work and home life). 

In addition, part of the novelty of the approach will 
be the ability to integrate rigorous security assessment 



with psychological ownership models adapted from 
the occupational psychology literature [12, 13]. 

The research objectives are to: 

► Understand the psychological phenomena that 
dictate security behavior relevant for data protec- 
tion in consumerization scenarios, from the vari- 
ous perspectives of the chief information security 
officer, IT administrators, and employees; 

► Develop a choice architecture for these scenarios; 

► Implement a toolset to implement the choice 
architecture— steering the decision maker to 
"better" decisions; and 

► Experimentally evaluate the 
improvements delivered. 

The lead researchers are Dr. Aad van Moorsel of 
Newcastle University and Professor Pamela Briggs of 
Northumbria University. 

Conclusion 

In mid-2012, GCHQ, BIS, and RCUK awarded the 
Academic Center of Excellence (ACE) in Cyberse- 
curity Research to eight UK universities [14]. This 
initiative, the first part of a broad, joint response to 
the UK government's national cybersecurity strategy 
[15], will enhance the UK's cyber knowledge through 
original research. 

The establishment of the Research Institute is 
another part of the broad response to the UK gov- 
ernment's national cybersecurity strategy [15]. The 
strategy describes how the government is working 
with academia and industry to make the UK more re- 
silient to cyberattacks. Both the ACE and the Research 
Institute initiatives are harnessing the vital role that 
academia has to play in supporting and developing the 
UK's capability in cybersecurity. H 

About GCHQ 

Government Communications Headquarters (GCHQ) 

is one of three UK intelligence agencies. GCHQ pro- 
vides intelligence, protects information, and informs 
relevant UK policy to keep our society safe and suc- 
cessful in the Internet age. 
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On May 29, 2009, in the East Room of the White House, President Barack Obama announced 
that his administration will pursue a new comprehensive approach to securing America's 
digital infrastructure. During the speech on "Securing our nation's cyber infrastructure," [1] 
he noted the following: 

. . . we will begin a national campaign to promote cybersecurity awareness and digital 
literacy from our boardrooms to our classrooms, and to build a digital workforce for the 
2 1st century And that's why we're making a new commitment to education in math and 
science, and historic investments in science and research and development Because 
it's not enough for our children and students to master today's technologies — social 
networking and emailing and texting and blogging — we need them to pioneer the 
technologies that will allow us to work effectively through these new media and allow us 
to prosper in the future. 
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"Building capacity for a digital nation " part II of the 
presidents cyberspace policy review [2], included rec- 
ommendations around the idea that the general public 
needs to be well informed to use technology safely, 
that the US needs a technologically advanced work- 
force to remain competitive in the twenty-first century 
economy, and that math and science must be a priority 
in schools. The review suggested that the US should 
initiate a K-12 cybersecurity education program for 
digital safety, ethics, and security; expand university 
curricula; and set the conditions to create a competent 
workforce for the digital age. To help achieve these 
goals, the review stated that the nation should: 

► Promote cybersecurity risk awareness for 
all citizens; 

► Build an education system that will enhance 
understanding of cybersecurity and allow 
the US to retain and expand upon its scien- 
tific, engineering, and market leadership in 
information technology; 

► Expand and train the workforce to protect the 
nations competitive advantage; and 

► Help organizations and individuals make smart 
choices as they manage risk. 

In response to the president s cyberspace policy re- 
view, the National Security Staff (NSS) s Cybersecurity 
Directorate and the Office of the Director of National 
Intelligence (ODNI) s Joint Interagency Cyber Task 
Force formed an interagency working group to expand 
the Comprehensive National Cybersecurity Initiative 
(CNCI)'s initiative #8 — Expand Cyber Education — to 
encompass a national, rather than federal, focus. The 
goal of the working group was to formulate a recom- 
mendation for the Information and Communications 
Infrastructure Interagency Policy Committee (ICI- 
IPC) on a way forward for a national program to im- 
prove cybersecurity awareness, education, workforce 
structure, and training. 

The working group consisted of representatives 
from the NSS Cybersecurity Directorate staff; ODNI; 
the Departments of Commerce, Defense (DoD), 
Education, Homeland Security (DHS), Justice (Do J), 
Labor (DoL), State, and Treasury; NSA; the Office 
of Personnel Management (OPM); the Office of 
Management and Budget; and the Office of Science 
and Technology Policy. The group worked for several 
months to finalize a recommendation to the ICI-IPC 



on the governance model for a national cybersecurity 
education program. The recommendation resulted in 
the March 2010 creation of an interagency structure 
and governance model for the National Cybersecurity 
Education Initiative, renaming it the National 
Initiative for Cybersecurity Education (NICE) [3]. 

National Initiative for 
Cybersecurity Education (NICE) 

With NICE, the federal government aims to enhance 
the overall cybersecurity posture of the US by ac- 
celerating the availability of educational and training 
resources designed to improve the cyber behavior, 
skills, and knowledge of every segment of the popula- 
tion. This will enable a safer cyberspace for all. The 
initiative has established three underlying goals: 

► Raise national awareness about risks 
in cyberspace, 

► Broaden the pool of individuals prepared to 
enter the cybersecurity workforce, and 

► Cultivate a globally competitive 
cybersecurity workforce. 

The recommendation identified the National 
Institute of Standards and Technology (NIST) as the 
overall lead with four components (shown in figure 1). 

Interagency structure 

NICE will be represented by the following 
four components. 

1 . National cybersecurity awareness campaign. 

The goal of this component, led by DHS, is 
to improve the cybersecurity behavior of the 
American public. DHS is doing this by deliver- 
ing a national public awareness campaign — 
Stop.Think.Connect. [4] — aimed at increasing 
the understanding of cyber threats and empow- 
ering the American public to be safer and more 
secure online. A core strategy of the campaign 
is a National Cyber Awareness Coalition [5], 
which comprises federal agency partners as well 
as state and local governments. The Coalition 
offers a mechanism for message and materials 
dissemination. Making effective use of the com- 
munications channels and outreach capabilities 
of the Coalition members is key to extending 
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the campaigns reach. Projects within this 
component include: 

» Planning and executing Cyber Tours [6] 
nationwide to directly engage communi- 
ties in promoting awareness and initiating 
a dialogue about the dangers individuals 
face online; 

» Launching and expanding the National 
Network, a spin-off of the National Cyber 
Awareness Coalition, which will mirror 
the Coalition but be open for membership 
from any national nonprofit organization; 

» Improving the Stop.Think.Connect. re- 
sources, such as the Toolkit [7]; 

» Finding new outreach opportunities and 
mechanisms to spread the campaigns 
message; and 

» Increasing coordination of the campaign 
and National Cyber Security Awareness 
Month (NCSAM), including incorporating 
Stop.Think.Connect. language in the state 
proclamations and conducting a Cyber 
Tour during NCSAM. 

2. Formal cybersecurity education. The goal of this 
component, led by the Education Department 
and National Science Foundation (NSF), is to 
broaden the pool of skilled workers for a cyber- 
secure nation. It is responsible for supporting 
formal education to increase both the number 
of people with cybersecurity knowledge, skills, 
and abilities and the quality of the cybersecurity 
capabilities held by those people. Projects within 
this component include: 

» Making the connection between cyberse- 
curity and science, technology, engineer- 
ing, and mathematics (STEM); 
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» Disseminating common evidence stan- 
dards in pre- K- 12 education; 

» Promoting the growth of effective cyber- 
security competitions in high schools and 
higher education; 

» Facilitating the development of curricular 
recommendations in high schools and 
higher education; and 

» Coordinating a learning network of virtual 
national cybersecurity laboratories. 

3. Cybersecurity workforce structure. The goal of 
this component, led by DHS and supported by 
OPM, is to define cybersecurity jobs, attraction, 
recruitment, retention, and career path strate- 
gies. This component contains the following sub- 
component areas: the federal workforce (led by 
OPM), the government (nonfederal) workforce 
(led by DHS), and the private sector workforce 
(led by the Small Business Administration, DoL, 
and NIST). 

This component focuses on talent manage- 
ment of cybersecurity professionals. It aims to 
evaluate the professionalization of the workforce, 
recommend best practices for forecasting future 
cybersecurity needs, and define national strate- 
gies for recruitment and retention. Projects 
within this component include: 

» Professionalization — establishing a 
methodology for identifying cybersecu- 
rity areas to be professionalized [8] and 
providing a central national resource for 
cybersecurity professionalization. 

» Workforce planning — delivering a meth- 
odology for accurately forecasting cyber- 
security workforces across government, 
industry, and academia. 
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» Recruitment and retention — providing, 
disseminating, and maintaining a strategy 
and set of materials for recruiting and 
retaining cybersecurity professionals at the 
national level. 

4. Cybersecurity workforce training and 

development. The goal of this component, led 
by DHS, DoD, and ODNI, is to develop and 
maintain an unrivaled cybersecurity workforce. 
It contains the following functional areas: general 
IT use (led by DHS and the Department of the 
Navy); information technology infrastructure, 
operations, maintenance, and information assur- 
ance (led by DoD and DHS); domestic enforce- 
ment and counterintelligence (led by the Defense 
Cyber Crime Center, the Office of the National 
Counterintelligence Executive, DoJ, and the US 
Secret Service); and specialized cybersecurity 
operations (led by NSA). 

This component is responsible for defining 
the cybersecurity workforce and identifying the 
training and professional development required 
for the nations cybersecurity workforce. Projects 
within this component include: 

» National Cybersecurity Workforce 
Framework [9] — providing a common 
language to define cybersecurity work. 
The Framework defines specialty areas; 
knowledge, skills, and abilities (KSAs); 
and competencies. 

» Training catalog/National Institute for 
Cybersecurity Studies portal — serving 
as a national online resource for infor- 
mation about cybersecurity awareness, 
education, careers, and professional 
development. It provides an online web 
resource that has a robust and representa- 
tive collection of training opportunities 
mapped to the National Cybersecurity 
Workforce Framework. 

» Workforce inventory — collecting data 
to baseline and identify the current state 
of the IT workforce and assess current 
cybersecurity capabilities. 

» Training gap analysis — ensuring that 

available training is appropriate in terms of 
quality, need, and content. 



NICE 

NATIONAL INITIATIVE FOR 
CYBERSECURITY EDUCATION 



I L 5 4 

OOQJD 



National 

cybersecurity 

awareness 



Formal 

cybersecurity 

education 



Cybersecurity 

workforce 

structure 



Cybersecurity 
workforce training 
& professional 
development 



FIGURE 1 . The National Initiative for Cybersecurity Education 
(NICE) is broken into four components aimed at enhancing the 
overall cybersecurity posture of the US. 



» Professional development road maps — 

developing resources which depict career 
progression from entry to expert within 
each specialty area. 

Relationship to the cybersecurity R&D 
science of security thrust 

In December 201 1, the White House released "Trust- 
worthy cyberspace: Strategic plan for the federal cy- 
bersecurity research and development program" [10] 
that included a thrust on developing scientific founda- 
tions. This thrust challenges the research and develop- 
ment (R&D) community to organize the knowledge in 
the field of cybersecurity and to investigate universal 
concepts that are predictive and transcend specific 
systems, attacks, and defenses resulting in a cohesive 
understanding of underlying principles of cybersecu- 
rity. This thrust will enable investigations that affect 
large-scale systems and will promote the development 
of hypotheses subject to experimental validation; it 
will also support high-risk explorations needed to 
establish a scientific basis and to form public-private 
partnerships of government agencies, universities, 
and industry. 

NICE seeks to organize the knowledge in the field 
of cybersecurity education by supporting the develop- 
ment of cybersecurity awareness and educational con- 
tent appropriate for different audiences and students. 
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NICE also seeks to identify and develop consensus on 
universal concepts that support increased cybersecu- 
rity awareness, expand cybersecurity education, and 
nurture a cybersecurity workforce that is prepared to 
support our nations future. 

NICE will continue to form public-private partner- 
ships to achieve its goals. Leadership from the private 
and academic sectors is critical to the success of the 
NICE strategy to help organize disparate areas of 
knowledge. The R&D strategy noted that developing a 
strong, rigorous scientific foundation to cybersecurity 
helps the field by providing structure and organiza- 
tion to a broad-based body of knowledge in the form 
of testable models and predictions. This is true for 
NICE as well, but rather than testable models and 
predictions, NICE needs to develop common core 
state standards [1 1] for cybersecurity that will enable 
cybersecurity to be incorporated into K-12 education. 
The formation of cybersecurity education and aware- 
ness into a common core standard like the one already 
designed for mathematics [12] will help define what 
students should understand and be able to demon- 
strate in their study of cybersecurity. 

Increased exposure to cybersecurity concepts, 
including computational thinking [13] in K-12 
education, and an overall STEM emphasis in K-12 
education will produce more students with the skills 
necessary to perform cybersecurity R&D as they 
matriculate through universities, academies, colleges, 
and institutes of technology. NICE believes that the 
innovative skills gained while performing R&D in an 
academic environment will translate into more people 
capable of performing and leading cybersecurity R&D 
activities within both the federal government and the 
nations high-tech industries. NICE also recognizes the 
need to keep up with the innovations developed by the 
R&D community as the initiative continues its pursuit 
of its strategic goals. 

The science of cybersecurity workforce 

The National Cybersecurity Workforce Framework 
provides a common set of definitions for the cyberse- 
curity workforce. The Framework brings consistency 
to how cybersecurity work is defined and described. 
It provides a common language to discuss and un- 
derstand the work requirements of cybersecurity 
professionals, empowering our nations agencies and 
industries to: 



► Baseline capabilities, 

► Identify skill gaps, 

► Develop cybersecurity talent in the 
workforce, and 

► Prepare the pipeline of future talent. 

The Framework organizes the cybersecurity work- 
force into seven broad categories, then into thirty- 
one specialty areas. These specialty areas are further 
broken down into work roles and then KSAs. Some 
organizations may mix roles or specialty areas; this is 
a major strength for the Framework in that it can be 
customized to fit the needs of an organization and still 
maintain its integrity. The Framework was developed 
in collaboration with subject matter experts from gov- 
ernment, nonprofits, academia, and the private sector. 

The Framework concept began before the estab- 
lishment of NICE and grew out of the recognition 
that the cybersecurity workforce (federal and private 
industry) could not be measured and that the roles 
needed to support our nations cybersecurity were 
undefined. To combat this challenge, the federal Chief 
Information Officers (CIO) Council [14] began a 
Cybersecurity Workforce Development Matrix effort 
in 2008, when the organization was tasked to provide 
a standard framework to understand the cybersecurity 
roles within the federal government. In 2008, the CIO 
Council's Information Technology Workforce Com- 
mittee (ITWC) conducted an environmental scan and 
produced a research report that referenced where oth- 
er information technology professional development 
efforts were also underway, including the "Essential 
Body of Knowledge (EBK) report" and "The Commit- 
tee of National Security Systems (CNSS) standards." 
Specific roles were identified as needed by agencies to 
conduct cybersecurity work. 

In November 201 1, thirteen roles were identified 
and four cybersecurity development matrices were 
published by the federal CIO Council along with 
the "Cybersecurity workforce development matrix 
resource guide" [15] to instruct managers on how to 
use the matrices. The roles and initial matrices were 
created based on input from focus groups consisting 
of subject matter experts from many federal agen- 
cies. The federal CIO Council's Information Security 
and Identity Management Committee (ISIMC) and 
ITWC advised on the project. Plans are underway 
to link the matrices to the Framework by providing 
sample illustrations of how the specialty areas within 
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the Framework can be mapped to create various 
cybersecurity roles. 

The Framework is comprehensive and inherently 
flexible, allowing organizations to adapt its content to 
their human capital and workforce planning needs. 
The work conducted in the federal CIO Councils 
Cybersecurity Workforce Development Matrix project 
will be leveraged to provide government organizations 
with sample applications of how they can adjust the 
Framework to suit their own workforce needs. These 
sample applications provide an option for each depart- 
ment or agency to customize their template through 
the Framework model. Over time, these examples will 
be expanded to include the education, experience, 
credentials, and training needed by an individual for 
each role. 

The Framework [9], published in August 2012, 
enabled the issuance of cybersecurity functional codes 
by OPM on October 1, 2012, in their "Guide to data 
standards" [16]. Use of these cybersecurity function 
codes will enable OPM and federal agencies to identify 
the cybersecurity workforce; determine baseline capa- 
bilities; examine hiring trends; identify skill gaps; and 
more effectively recruit, hire, train, develop and retain 
a valuable cybersecurity workforce. 

An increased focus on the science of security at our 
nations institutions of higher learning based on the 
R&D strategic plans thrust of developing scientific 
foundations will produce graduates ready to enter the 
cybersecurity workforce with the skills to organize dis- 
parate areas of knowledge, leverage the universal laws 
to be discovered, and apply scientific method to their 
work. The National Cybersecurity Workforce Frame- 
work developers recognize that it will be vital for the 
workforce and science and technology communities to 
work together to acknowledge and communicate the 
importance of these skills and other newly discovered 
KSAs needed within our nations workforce. 

NICE end-state vision 

Looking to the future, NICE envisions a developed 
workforce that is prepared to ensure an organized and 
unified response to cyber incidents. NICE envisions 
a nation that is prepared to work together to secure 
Americas information and communications networks. 
Public-private partnerships, established to meet the 
NICE goals, will continue to collaborate to meet the 
demands of new threats and to utilize cutting-edge 



R&D which is delivering the innovation and discov- 
ery that the nation needs to meet the challenges of 
our time. NICE envisions increased cybersecurity 
awareness from our boardrooms to our classrooms 
and a strong cybersecurity workforce for the twenty- 
first century. H 
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Cyberspace, a global "virtual" village enabled 
by hyperconnected digital infrastructures, has 
transformed the daily lives of people for the 
better. Regardless of distance and location, families 
and friends can see and talk with one another as if in 
the same room. Cyber economies create new opportu- 
nities. Every sector of the society, every discipline, has 
been transformed by cyberspace. It is no surprise that 
today cyberspace is critical to our national priorities 
in commerce, education, energy, financial services, 
healthcare, manufacturing, and defense. 

The rush to adopt cyberspace, however, has exposed 
its fragility. The risks of hyperconnectedness have 
become painfully obvious. The privacy of personally 
identifiable information is often violated on a massive 
scale by persons unknown. Competitive advantage 
is eroded by the exfiltration of significant intellectual 
property. Law enforcement is hobbled by the difficulty 
of attribution, by national boundaries, and by uncer- 
tain legal and ethical frameworks. All these concerns 



now affect the public s trust of cyberspace and the abil- 
ity of institutions to fulfill their missions. 

Cybersecurity is arguably the most important chal- 
lenge confronting society in the information age. No 
one — whether government, business, or individual — is 
exempt from the ravages of malicious cyber acts upon 
information technologies. The intelligent cyber adver- 
sary, whether human or software, learns and evolves to 
exploit, disrupt, and overpower cyber defenses, even 
as they are improved and strengthened. But posing 
cyber conflict solely in terms of classic attackers and 
defenders shortchanges the diversity and subtlety 
of the motivations, incentives, ethics, asymmetries, 
and strategies of the constituent actors and players 
in cyberspace. Addressing the challenge of securing 
cyberspace requires a coordinated multidisciplinary 
approach including computer scientists, mathemati- 
cians and statisticians, economists, behavioral scien- 
tists and sociologists, education experts, and engineers 
from many areas, all contributing to the body of 
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knowledge on cybersecurity. Ultimately, the goal of 
such a multidisciplinary effort is the development of 
a science of cybersecurity, leading to practical, usable, 
and deployable technologies. 

As a step toward creating such a science of 
cybersecurity, the National Science and Technology 
Council (NSTC) with the cooperation of the National 
Science Foundation (NSF) put forth a 2011 report, 
"Trustworthy cyberspace: Strategic plan for the federal 
cybersecurity research and development program" [1]. 
The plan identifies a broad, coordinated research 
agenda to make cyberspace secure and trustworthy. 
Research in cybersecurity must "change the game," 
check the misuses of cyber technology, bolster 
education and training in cybersecurity, establish a 
science of cybersecurity, and transition promising 
cybersecurity research into practice. The objective is to 
make cyberspace worthy of the public's trust. 

NSF's Secure and Trustworthy 
Cyberspace (SaTC) program 

NSF's new program for secure and trustworthy cyber- 
space (SaTC) supports the NSTC strategic plan for a 
trustworthy cyberspace. It recognizes that cyberspace 
will continue to grow and evolve and that advances in 
the sciences and technologies will create new leap- 
ahead opportunities expanding cyberspace. It recog- 
nizes that cybersecurity must also grow and coevolve 
along with cyberspace and that a secure and trust- 
worthy cyberspace will ensure continued economic 
growth and future technological innovation. 

The SaTC program is seeking research pro- 
posals that address cybersecurity from three 
distinct perspectives: 

► Trustworthy computing systems; 

► Social, behavioral, and economic sciences; and 

► Transition to practice. 

In addition, the SaTC program is seeking research 
proposals that integrate research addressing two or 
more of these perspectives, as well as proposals focus- 
ing entirely on cybersecurity education. 

The following sections of this article describe 
the SaTC cybersecurity research perspectives. Each 
section outlines the projects and proposals that are 
of interest to the SaTC program within the relevant 
research perspective. 



Trustworthy computing 
systems perspective 

The trustworthy computing systems perspective aims 
to provide the basis for designing, building, and oper- 
ating a cyber infrastructure with improved resistance 
and improved resilience to attack that can be tailored 
to meet a wide range of technical and policy require- 
ments, including both privacy and accountability. The 
broad scope of this work supports all research ap- 
proaches from theoretical to experimental, including 
participation by human subjects. Theories, models, 
cryptography, algorithms, methods, architectures, lan- 
guages, software, tools, systems, and evaluation frame- 
works are all of interest as potential research projects. 

Of particular interest is research that addresses how 
better to design desired security and privacy proper- 
ties into components and systems. Methods for raising 
attacker costs by incorporating diversity and change 
into systems, while preserving system manageability, 
are also relevant. 

The SaTC program welcomes studies of the 
trade-offs among trustworthy computing proper- 
ties (e.g., security and usability, or accountability and 
privacy) as well as work that examines the tension 
between security and human values, such as open- 
ness and transparency. Also, methods to assess, reason 
about, and predict system trustworthiness, including 
observable metrics, analytical methods, simulation, 
experimental deployment— especially deployment 
on live test beds for experimentation at scale— will 
be considered. Statistical, mathematical, and compu- 
tational methods in the area of cryptographic meth- 
ods, new algorithms, risk assessments, and statisti- 
cal methods in cybersecurity are also of interest to 
the program. 

Social, behavioral, and economic 
sciences perspective 

Research addressing the social, behavioral, and 
economic sciences (SBE) perspective of cybersecurity 
may focus on the individual, group, organizational, 
market, and societal levels, identifying cybersecurity 
risks and exploring the feasibility of potential solu- 
tions. All research approaches, including (but not 
limited to) theoretical, experimental, observational, 
statistical, survey, and simulation-based are of interest. 
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A variety of methods can be used in 
research from the SBE perspective, 
including field data, laboratory experi- 
ments, observational studies, simula- 
tions, and theoretical development. 

Not all work that examines aspects 
involving people falls within the SBE 
perspective. If such aspects are not the 
primary focus of the proposal, or if the 
aspects involving people merely apply 
the social, behavioral, or economic sci- 
ences instead of contributing to them, 
the proposal might fit under the trust- 
worthy computing systems perspective 
as human factors research. 

Research with the SBE perspective as 
its primary perspective must have the social, behav- 
ioral, or economic sciences as its main focus and must 
involve theoretical or methodological contributions 
to those sciences. Contributions to the social, behav- 
ioral, or economic sciences may include identifying 
generalizable theories and regularities and should 
push the boundaries of the current understanding of 
social, behavioral, or economic phenomena in cyber- 
security. The SaTC program seeks research that holds 
the promise of constructing new social, behavioral, 
or economic science theories that would apply to a 
variety of domains, or new generalizations of existing 
theory which clarify the conditions under which such 
generalizations hold (i.e., scope conditions). 

More inductive or interpretative approaches may 
contribute to the social, behavioral, or economic sci- 
ences as well, especially if they set the groundwork 
for generalizable research or reveal broad connections 
that advance understanding in those sciences. The 
SBE perspective proposals should clearly state and 
elaborate how the proposed research will contrib- 
ute to the social, behavioral, or economic sciences. 
Research proposals that involve the SBE perspective, 
but not as their primary perspective, must include at 
least an application of the social, behavioral, or eco- 
nomic sciences but need not involve a theoretical or 
methodological contribution. 

All SBE perspective proposals must, like all SaTC 
proposals, also contribute toward the goal of creating a 
secure and trustworthy cyberspace. The social, behav- 
ioral, or economic sciences contribution of any SBE 




perspective proposal must be related to bringing about 
that goal. 

The strongest research proposals should demon- 
strate the capabilities of the research team to bring to 
bear state-of-the-art research in the human sciences. 
These proposals should seek to understand, predict, 
and explain prevention, attack, and/or defense behav- 
iors and should contribute to developing strategies for 
remediation. Proposals that contribute to the design 
of incentives, markets, or institutions to reduce either 
the likelihood of cyberattack or the negative conse- 
quences of cyberattack are especially welcome, as are 
proposals that examine incentives and motivations 
of individuals. 

Research proposals submitted with an SBE perspec- 
tive will be evaluated with careful attention to their: 

► Mutual application of, and contribution to, basic 
social, behavioral, or economic science research; 

► Generalizability to multiple cybersecurity 
settings; 

► Ultimate contribution to the construction of 
institutions that induce optimal behavior; and 

► Value toward creating a secure and 
trustworthy cyberspace. 

Given the nascent state of social, behavioral, and 
economic science research in cybersecurity, work 
that proposes workshops and other opportunities for 
intellectual engagements is welcomed. Such propos- 
als, however, must clarify how the efforts are likely to 
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enable future contributions to the SBE perspective, 
preferably from a range of social, behavioral, and 
economic sciences. For research proposals that are 
infrastructure-oriented, those that contribute directly 
to research and go beyond merely providing a re- 
source for other researchers are of special interest. 

Transition-to-practice perspective 

Research proposals with the transition-to-practice 
perspective should address the challenge of mov- 
ing from research to capability. These proposals will 
typically leverage successful results from previous and 
current basic research and focus on later stage activi- 
ties in the research and development life cycle (e.g., 
applied research, development, prototyping, testing, 
and experimental deployment). Strong preference 
will be given to projects whose outcomes result in 
fielded capabilities and innovations of direct benefit to 
networks, systems, and environments supporting NSF 
science and engineering research and education. Any 
software that is developed in this program area will be 
required to be released under an open source license 
listed by the Open Source Initiative [2]. Industry part- 
nerships and collaborations are strongly encouraged. 

Research proposals that are submitted with a 
transition-to-practice perspective will be evaluated 
with careful attention to: 

► The expected impact on the deployed environ- 
ment described in the proposal; 

► The extent to which the value of the proposed 
cybersecurity research and development is 
described in the context of a needed capability 
required by science and engineering and po- 
tential impact across a broader segment of the 
NSF community; 

► The feasibility, utility, and interoperability of the 
capability in its proposed operational role; 

► A project plan that addresses in its goals and 
milestones the demonstration and evaluation of 
a working system in the target environment; and 

► Tangible metrics described to evaluate the suc- 
cess of the capabilities developed and the steps 
necessary to take the system from prototype 
status to production use. 



Cybersecurity education perspective 

The results of SaTC funded research may lead to 
widespread changes in our understanding of the 
fundamentals of cybersecurity that can, in turn, lead 
to fundamentally new ways to motivate and educate 
students about cybersecurity. Proposals submitted 
with this perspective should leverage successful results 
from previous and current basic research in cyberse- 
curity and research on student learning, both in terms 
of intellectual merit and broader impact, to address 
the challenge of expanding existing educational op- 
portunities and resources in cybersecurity. This might 
include, but is not limited to, the following efforts: 

► Defining a cybersecurity body of knowledge and 
establishing curricular recommendations for 
new courses (both traditional and online), de- 
gree programs, and educational pathways leading 
to wide adoption nationally; 

► Evaluating the effects of these curricula on 
student learning; 

► Encouraging the participation of a 
broad and diverse student population in 
cybersecurity education; 

► Developing virtual laboratories to pro- 
mote collaboration and resource sharing in 
cybersecurity education; 

► Developing partnerships between centers of re- 
search in cybersecurity and institutions of higher 
education that lead to improved models for the 
integration of research experiences into cyberse- 
curity degree programs; and 

► Developing and evaluating the effectiveness of 
cybersecurity competitions, games, and other 
outreach and retention activities. 

Additional information on NSF s SaTC program 
solicitation NSF 12-596 is available at http://www.nsf. 
gov/pubs/20 1 2/nsf 1 2596/nsf 1 2596.htm. H 
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GLOBE AT A GLANCE 

NSF programs in Secure and 
Trustworthy Cyberspace 

Cybersecurity is arguably the most important challenge confronting society in the 
information age. Addressing this challenge requires a coordinated multidisciplinary 
approach, contributing to the body of knowledge on cybersecurity in the respective 
disciplines and leading to practical usable deployable technologies. The National Science 
Foundation's Secure and Trustworthy Cyberspace (SaTC) department is responding to this 
challenge by funding programs across the nation. This map shows the top 20 universities 
with the most, active SaTC programs as of December 201 2. For more information about 
SaTC programs, see page 37. 
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UNIVERSITIES WITH THE MOST NSF SaTC PROGRAMS 


Abbreviation 


University 


No. of Programs 


CMU 


Carnegie Mellon University 


11 


UCSD 


University of California, San Diego 


11 


Cornell 


Cornell University 


7 


IU 


Indiana University 


7 


PSU 


Pennsylvania State University, University Park 


7 


UIUC 


University of Illinois at Urbana-Champaigne 


7 


Purdue 


Purdue University 


6 


UT 


University of Texas at Austin 


6 


GTRC 


Georgia Tech Research Corporation 


5 


ICSI 


International Computer Science Institute 


5 


Rutgers 


Rutgers University-New Brunswick 


5 


BU 


Trustees of Boston University 


5 


UCD 


University of California, Davis 


5 


UCI 


University of California, Irvine 


» 


UCSB 


University of California, Santa Barbara 




UMCP 


University of Maryland, College Park 


5 


VT 


Virginia Polytechnic Institute and State University 


5 


GWU 


George Washington University 




NCSU 


North Carolina State University 


* 


UTD 


University of Texas at Dallas 


4 
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Cyber threats to US infrastructure on the ri 

The Department of Homeland Security (DHS) Control 
Systems Security Program manages and operates the In- 
dustrial Control Systems Cyber Emergency Response Team 
(ICS-CERT) to provide focused operational capabilities for 
defense of control system environments against emerging 
cyber threats. ICS-CERT responds to cyber threats that 
affect organizations that own and operate control systems 
associated with critical infrastructure and key resources in- 
cluding agriculture and food, banking and finance, chemi- 
cal, commercial facilities, critical manufacturing, dams, 
defense industrial base, drinking water and water treatment 
systems, emergency services, energy, government facilities, 
information technology, national monuments and icons, 
nuclear reactors and materials and waste, postal and ship- 
ping, public health and healthcare, telecommunications, 
and transportation systems. 

To accomplish this mission, ICS -CERT 

► Responds to and analyzes control systems 
related incidents, 

► Conducts vulnerability and malware analysis, 

► Provides on-site support for incident response and 
forensic analysis, 

► Provides situational awareness in the form of 
actionable intelligence, 

► Coordinates the responsible disclosure of 
vulnerabilities/mitigations, and 

► Shares and coordinates vulnerability information 
and threat analysis through information products 
and alerts. 

Companies report cybersecurity incidents to ICS-CERT 
and request analysis support to help determine the extent 




of the compromise and gather information about cyber at- 
tacks, including the adversary's techniques and tactics. This 
information helps asset owners evaluate their security pos- 
ture and take measures to strengthen their control systems 
and network security. Typical incident response support 
consists of analysis performed in ICS-CERT's Advanced 
Analytics Lab (AAL) on digital media, malware, log files, 
and other artifacts. 

Figure 1 illustrates the number of incident report tickets 
and incident report on-site deployments between 2010 
and 2011. 




2010 2011 
Year 

FIGURE 1 . The number of cyber incident report tickets and 
on-site deployments for 201 0 and 201 1 . 



In 2010, 41 incident reports were received. Of the 41, 
eight resulted in the deployment of on-site response teams. 
An additional seven incidents involved remote analysis 
by the AAL. Figure 2 illustrates the breakout of incidents 
by sector. 
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FIGURE 2. The number of cyber incident reports by sector 
in 2010. 



In 2011, ICS-CERT received 198 reports of incidents. 
Of those 198, seven resulted in the deployment of on-site 
incident response teams. An additional 21 incidents in- 
volved analysis efforts by the AAL to identify malware and 
techniques used by the threat actors. Figure 3 displays the 
sector distribution for all incidents reported in 2011. Inci- 
dents specific to the water sector, when added to those that 



impacted multiple sectors, accounted for over half of the 
incidents due to a large number of Internet facing control 
system devices reported by independent researchers. 
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FIGURE 3. The number of cyber incident reports by sector 
in 2011. 



For more information about ICS-CERT, or to report 
a cybersecurity incident, visit http://www.us-cert.gov/ 
control_systems/ics-cert/. H 
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NSA sponsors science of cybersecurity lablets 



NSA granted $2.5 million to Carnegie Mellon Univer- 
sity, the University of Illinois at Urbana-Champaign, and 
North Carolina State University to fund research lablets 
devoted to developing a more scientific basis for the 
design and analysis of trusted cyber systems— a science 
of [cyber] security (SoS). NSA approved the schools' first 
research proposals for the lablets in December of 201 1. 

NSA's goal with these lablets is to create a unified 
body of knowledge in addition to analytics methods 
and tools that can serve as the basis of a trust engineer- 
ing discipline, curriculum, and rigorous design meth- 
odologies. The results of SoS lablet research are to be 
extensively documented and widely distributed through 
the use of a new, network-based collaboration environ- 
ment—the SoS virtual organization. The intention is 
for that environment to be the primary resource for 
learning about ongoing work in cybersecurity science 



and to be a place to participate with others in advancing 
the state of the art. (For more information about the SoS 
virtual organization, see page 20.) 

The lablets' work will draw on several fundamental 
areas of computing research. Some ideas from fault- 
tolerant computing can be adapted to the context of se- 
curity. Strategies from control theory will be extended to 
account for the high variation and uncertainty that may 
be present in systems when they are under attack. Game 
theory and decision theory principles will be used to ex- 
plore the interplay between attack and defense. Formal 
methods will be applied to develop formal notions of 
resiliency. End-to-end system analysis will be employed 
to investigate resiliency of large systems against cyber 
attack. The lablets' work will draw upon ideas from other 
areas of mathematics and engineering as well. 



Carnegie Mellon University SoS lablet 




The broad goal of the Carnegie Mellon University 
(CMU) SoS lablet is to identify scientific principles that 
can lead to approaches to the development, evaluation, 
and evolution of secure systems at scale. The focus 
on scalability derives from a recognition that modern 
software-intensive systems have more components and 
a greater diversity of suppliers. The theme of scalability 
includes two principal areas of focus, which are 
composability and usability. Projects within the lablet 
may address diverse and possibly conflicting technical 
approaches in order to most effectively address the 
overall thematic goals. 

Contributing technical areas include safe 
programming languages, binary and source code 
analysis, data- intensive systems analysis, self-healing 
and resilient architecture, assured API (application 
programming interface) and framework compliance, 
sociotechnical ecosystems, development environments, 
trusted computing, specification and verification, 




concurrent and distributed systems, requirements 
and policy, usable security and privacy, intrusion and 
malware detection, dynamic network analysis, model 
checking, secure coding practice, secure process 
separation, verification of cyber-physical systems, 
and others. 
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POINTERS 



The lead principal investigator of the CMU SoS 
lablet is William Scherlis, professor in the School of 
Computer Science at CMU. He is the founding director 
of CMU's PhD Program in Software Engineering and 
director of CMU's Institute for Software Research in 
the School of Computer Science. His research relates 
to software assurance, software analysis, and assured 
safe concurrency. 

The lablet's projects include: 

A language and framework for development of 
secure mobile applications, 

Architecture based self-securing systems, 



Improving the usability of security requirements 
by software developers through empirical studies 
and analysis, 

Learned resiliency: Secure multilevel systems, 

Secure composition of systems and policies, 

Security reasoning for distributed systems 
with uncertainties, 

Systematic testing of distributed and 
multithreaded systems at scale, and 

Validating productivity benefits of type-like 
behavioral specifications. 



University of Illinois at Urbana-Champaign SoS lablet 



The University of Illinois at Urbana-Champaign SoS 
lablet, which will be housed in the Information Trust 
Institute at Illinois, will leverage Illinois' expertise 
in resiliency, which in this context means a system's 
demonstrable ability to maintain security properties 
even during ongoing cyber attacks. 

David M. Nicol, the lablet's principal investigator, 
explains, "The complexity of software systems 
guarantees that there will almost always be errors 
that can be exploited by attackers. We have a critical 
need for foundational design principles that anticipate 
penetrations, contain them, and limit their effects, even 
if the penetration isn't detected." 

Nicol is a professor of electrical and computer 
engineering at Illinois and the director of the 
Information Trust Institute. The lablet's leadership 
is shared with coprincipal investigators William H. 
Sanders, who is an ECE professor and director of the 
Coordinated Science Laboratory at Illinois, and Jose 
Meseguer, a professor of computer science. 

The lablet's projects include: 

Classification of cyber-physical system adversaries, 

End-to-end analysis of side channels, 

Enhancing cybersecurity through networks 
resilient to targeted attacks, 

From measurements to security science: 
Data-driven approach, 

Protocol verification: Beyond 
reachability properties, 




Quantitative assessment of access control in 
complex distributed systems, 

Quantitative security metrics for 
cyber-human systems, 

Scalable methods for security against 
distributed attacks, 

Secure platforms via stochastic computing, 

The science of summarizing systems: Generating 
security properties using data mining and 
formal analysis, 

Theoretical foundations of threat assessment by 
inverse optimal control, 

Toward a theory of resilience in systems: A 
game-theoretic approach, 

Towards a science of securing 
network forwarding, and 

Trust from explicit evidence: Integrating digital 
signatures and formal proofs. 
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North Carolina State University SoS lablet 



The North Carolina State University (NC State) 
SoS lablet, which will be housed in the Institute for 
Next Generation IT Systems, will leverage NC State's 
expertise and experience in analytics, including the 
extensive expertise available in the NC State Institute of 
Advanced Analytics. 

The coprincipal investigators for the NC State SoS 
lablet are Dr. Laurie Williams, professor of computer 
science, and Dr. Michael Rappa, director of the 
Institute of Advanced Analytics and professor of 
computer science. 

"The security fortification technique of data 
encryption has a sound mathematical basis, providing a 
predictable and quantifiable level of security based upon 
the strength of the encryption algorithm," Williams 
says. "Conversely, the science behind other security 
techniques that provide vulnerability prevention, 
detection, and fortification is either rudimentary or 
does not exist. As a result, the principles of designing 
trustworthy systems often are not rooted in science. The 
three SoS lablets established by the NSA will research 
techniques to provide this scientific basis." 

The lablet's projects include: 

Full proposals 

► An investigation of scientific principles involved in 
software security engineering, 

► Attaining least privilege through automatic 
partitioning of hybrid programs, 

► Argumentation as a basis for reasoning 
about security, 

► Developing a user profile to predict phishing 
susceptibility and security technology acceptance, 

► Empirical privacy and empirical utility of 
anonymized data, 

► Improving the usability of security requirements 
by software developers through empirical studies 
and analysis, 




security design. 
Seedlings 

► A science of timing channels in modern 
cloud environments, 

► An adoption theory of secure software 
development tools, 

► Multitarget visualizations for visual analytics, 

► Normative trust toward a principled basis for 
enabling trustworthy decision making, 

► Quantifying underpinnings for network analytics 
as components of composable security, 

► Quantifying mobile malware threats, 

► Spatiotemporal security analytics and 
human cognition, and 

► Studying latency and stability of closed-loop 
sensing-based security systems. 
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SPIN®UTS 

News from the Technology Transfer Program 

Shared technology, shared defense: Spinning out the Vulnerability Tool Suit 



One of NSAs critical missions is creating tools 
and techniques to provide information as- 
surance and computer network defense for 
systems and networks throughout the US govern- 
ment. One such product is the Vulnerability Tool 
Suite (VTS). 

The VTS is a collection of software and hardware 
computer network defense tools that has been devel- 
oped to support the warfighter and critical national se- 
curity communications systems. Typical components 
include methods to detect unauthorized hardware and 
software installations as well as tools to monitor sys- 
tem baseline configurations. NSA shares this toolset 
with military and civilian government organizations 
using a mechanism called a technology transfer shar- 
ing agreement (TTSA) administered by NSAs Tech- 
nology Transfer Program (TTP). 

Unlike patent license agreements, TTSAs are ef- 
fectively no-cost licenses allowing other government 
agencies and partners to obtain proprietary NSA 
technology through interagency agreements. After en- 
tering into a TTSA with NSA, recipient agencies and 
partners are provided access to specific technologies, 



periodic updates and upgrades, and in some cases, 
training. All TTSAs contain standard legal refer- 
ences regarding intellectual property rights and each 
party's responsibilities. TTSAs typically are in place for 
three years. 

In the case of the VTS, the TTP and the Informa- 
tion Assurance Directorate (IAD) are the primary 
interfaces between NSA and potential recipients. The 
IAD sends the VTS referrals to the TTP on a nearly 
daily basis and the IAD and TTP work collaboratively 
to execute the agreements. The TTP and IAD also 
showcase the VTS at various workshops and confer- 
ences throughout the year. The TTP and IAD meet 
periodically to update the VTS toolset contents and 
protection plan parameters. 

As a result of the collaboration between the IAD 
and TTP, the VTS makes up almost 40% of all TTSAs 
executed by the Agency. Since mid-2007, NSAs TTP 
has executed 123 TTSAs for the VTS. 

The VTS TTSA is just one example of how NSA is 
providing collaborative network assurance and cyber 
defense to all agencies of the US government. H 



